Oracle Ties Clop Ransomware to Critical July 2025 Flaws
▼ Summary
– Oracle has linked an ongoing extortion campaign by the Clop ransomware gang to vulnerabilities in its E-Business Suite that were patched in July 2025.
– The company’s Chief Security Officer confirmed customers received extortion emails and urged them to update their software and contact support if needed.
– Mandiant and Google Threat Intelligence Group reported executives at multiple companies received ransom demands to prevent alleged data leaks from Oracle systems.
– The Clop gang claimed responsibility for the campaign, stating they exploited an Oracle product bug and expect payment for their services.
– The U.S. State Department is offering a $10 million reward for information linking Clop ransomware attacks to a foreign government.
Oracle has officially connected a widespread extortion effort, claimed by the notorious Clop ransomware group, to critical vulnerabilities within its E-Business Suite (EBS) that were resolved in the July 2025 security updates. While the company has not formally attributed the campaign to the ransomware operation, Oracle’s Chief Security Officer, Rob Duhart, confirmed that multiple customers have received threatening emails from the gang. Duhart strongly advised all clients to install the latest patches immediately and to reach out to Oracle support if they need additional help.
In a recent statement, Duhart explained, “Oracle is aware that some Oracle E-Business Suite customers have received extortion emails. Our ongoing investigation points to the possible exploitation of known vulnerabilities that were fixed in the July 2025 Critical Patch Update. We continue to urge every customer to apply these updates without delay.” The July update resolved a total of nine security flaws in EBS, three of which, CVE-2025-30745, CVE-2025-30746, and CVE-2025-50107, could be exploited remotely without any user authentication.
Security firms Mandiant and Google Threat Intelligence Group (GTIG) reported this week that executives at several organizations have been contacted with ransom demands. The attackers threatened to release sensitive corporate data they claim was taken from Oracle E-Business Suite systems. According to Genevieve Stark, who leads GTIG’s cybercrime unit, the extortion emails started circulating on or around September 29, 2025, and investigators are still analyzing the full scope of the incident.
One of the messages shared with BleepingComputer stated, “We are CL0P team. If you haven’t heard about us, you can google about us on internet. We have recently breached your Oracle E-Business Suite application and copied a lot of documents. All the private files and other information are now held on our system.” Although Charles Carmakal, Mandiant’s Chief Technology Officer, noted that there is not yet enough evidence to confirm whether data was actually stolen, the Clop gang has publicly taken credit for the campaign.
In a separate communication, Clop representatives asserted, “Soon all will become obvious that Oracle bugged up their core product and once again, the task is on clop to save the day. We do not damage to systems and only expect payment for services we provide to protect hundreds of biggest companies in world.” This is not the first time the group has leveraged zero-day vulnerabilities in widely used software. Earlier this year, they extorted dozens of victims by exploiting a flaw (CVE-2024-50623) in Cleo’s secure file transfer application.
The Clop ransomware gang has a well-documented history of exploiting zero-day vulnerabilities in enterprise file transfer solutions, including Accellion FTA, GoAnywhere MFT, and MOVEit Transfer. The MOVEit incident alone impacted more than 2,770 organizations across the globe. In response to the ongoing threat, the U.S. State Department is now offering a reward of up to $10 million for information that ties Clop ransomware attacks to a foreign government.
(Source: Bleeping Computer)
