Cl0p Gang Hits Oracle in Major Data Theft Campaign
▼ Summary
– The Cl0p extortion gang exploited Oracle EBS vulnerabilities, including zero-day CVE-2025-61882, to steal large amounts of data from victims in August 2025.
– CVE-2025-61882 is an easily exploitable flaw affecting Oracle EBS versions 12.2.3 through 12.2.14, allowing unauthenticated attackers to achieve remote code execution via HTTP.
– Oracle issued a Security Alert Advisory for CVE-2025-61882 and removed initial claims that compromises were due to customers not applying July 2025 patches.
– Organizations are advised to check for evidence of compromise using indicators like IP addresses, files, and commands listed in Oracle’s advisory, including Python scripts linked to Scattered Lapsus$ Hunters.
– A security researcher published a Nuclei script on Sunday to detect Oracle EBS instances vulnerable to CVE-2025-61882, aiding in threat detection efforts.
A significant cybersecurity incident has impacted Oracle, with the notorious Cl0p ransomware gang successfully exploiting multiple vulnerabilities within the Oracle E-Business Suite (EBS). Mandiant CTO Charles Carmakal confirmed that the group leveraged a zero-day flaw, identified as CVE-2025-61882, to exfiltrate substantial volumes of data from several organizations during August 2025. The attackers began distributing extortion emails to victims starting the previous Monday, though it is possible that not all affected entities have been contacted yet.
Initially, Oracle’s Chief Security Officer, Rob Duhart, suggested that the security breaches resulted from customers failing to implement security patches released by Oracle in July. However, the company later revised its official statement, removing that assertion. Oracle has since issued a Security Alert Advisory specifically for CVE-2025-61882, providing updated protective measures developed during their ongoing investigation into the incident.
The technical specifics of CVE-2025-61882 remain undisclosed, but Oracle has clarified that the vulnerability resides in the BI Publisher Integration component of Oracle Concurrent Processing. This core EBS module is responsible for managing background task execution. The vulnerability is considered highly dangerous because it can be exploited remotely by unauthenticated attackers with simple network access via HTTP, potentially leading to full remote code execution. The security flaw impacts Oracle E-Business Suite versions ranging from 12.2.3 up to and including 12.2.14.
Although initial reports were cautious about attributing the extortion campaign definitively to Cl0p, that connection is now firmly established. Carmakal emphasized that due to the widespread exploitation of this zero-day, and the likelihood of continued attacks by other threat actors, all organizations should proactively investigate their systems for signs of a breach, regardless of whether they have applied the available patch.
To assist with these efforts, Oracle’s security advisory includes a list of indicators of compromise. These consist of specific IP addresses, file names, and commands observed during the attacks, which security teams can use for threat detection and hunting. Among the identified artifacts are Python scripts and an archive file whose names reference “Scattered Lapsus$ Hunters.” This name suggests a collaboration between members of the Scattered Spider, Lapsus$, and ShinyHunters hacking collectives. Reports indicate that this group publicly leaked the archive containing the exploit scripts on Telegram recently. Whether Cl0p is actively cooperating with Scattered Lapsus$ Hunters in these or other attacks remains uncertain.
In a related development, a security researcher released a Nuclei template script on Sunday designed to help organizations scan for and identify Oracle E-Business Suite instances that remain vulnerable to CVE-2025-61882.
(Source: HelpNet Security)
