Clop Hackers Use Oracle Zero-Day to Steal Executive Data
▼ Summary
– Oracle has patched a zero-day vulnerability (CVE-2025-61882) in its E-Business Suite that hackers are actively exploiting to steal executives’ personal information.
– The vulnerability can be exploited remotely without requiring a username or password, and Oracle has provided indicators of compromise to help customers detect intrusions.
– The hacking group Clop is using this flaw in a mass exploitation campaign to steal data and send extortion emails to corporate executives.
– Oracle initially downplayed the threat but reversed its stance after discovering the new zero-day, which was exploited before a patch was available.
– Much of the exploitation occurred in August, following July patches, and Clop has been sending extortion emails to victims since late September.
A significant security flaw within Oracle’s widely used E-Business Suite software has been actively exploited by hackers to obtain sensitive personal information belonging to corporate executives. Oracle has now issued a critical patch for this zero-day vulnerability, urging all customers to implement the update immediately to protect their systems from unauthorized access and data theft.
In a security advisory updated over the weekend, Oracle’s chief security officer, Rob Duhart, confirmed the release of a fix for the vulnerability, officially identified as CVE-2025-61882. The company highlighted that this particular security gap can be leveraged over a network without requiring any login credentials, making it especially dangerous. Oracle also shared specific indicators of compromise to assist organizations in detecting whether their systems have already been breached by attackers.
The Oracle E-Business Suite is utilized by thousands of enterprises globally to manage essential operations, including customer databases and comprehensive human resources records. A zero-day vulnerability like this one is particularly alarming because the software vendor had no advance warning before malicious actors began exploiting it.
This recent advisory represents a reversal from Oracle’s earlier communication. Initially, the company indicated that extortion emails sent to executives were connected to vulnerabilities addressed by patches released in July, implying that the threat had subsided. The discovery of this new zero-day flaw, however, confirms that hackers continued to identify and abuse previously unknown weaknesses in the E-Business software.
Reports concerning these extortion attempts first surfaced last week. On October 2, security researchers at Google disclosed that the well-known hacking collective Clop had been sending threatening emails to Oracle executives around September 29. The messages demanded payment under the threat of having the executives’ personal information published online. Clop has been associated with multiple high-profile ransomware incidents and extortion campaigns in recent years.
Charles Carmakal, Chief Technology Officer of Google’s Mandiant incident response team, stated in a LinkedIn post published Sunday that the vulnerabilities in Oracle’s software are being used in a “mass exploitation” campaign focused on data theft and extortion. According to Carmakal, a substantial portion of this malicious activity took place during August, following the release of the July security patches.
He also noted that while Clop has been sending extortion emails to a number of victims since the previous Monday, the hackers have not yet contacted every individual or organization affected by the breach.
(Source: TechCrunch)
