Clop Hackers Stole Data Using Oracle Zero-Day Since August

The Clop ransomware group has been actively exploiting a critical zero-day vulnerability in Oracle’s E-Business Suite since early August, leading to widespread data theft and extortion attempts. This security flaw, identified as CVE-2025-61882, was recently patched by Oracle after being discovered within the BI Publisher Integration component of the EBS Concurrent Processing module. The vulnerability enables unauthenticated attackers to execute remote code on vulnerable systems through low-complexity attacks that don’t require any user interaction.

Security researchers from watchTowr Labs conducted a deeper analysis by reverse-engineering a proof-of-concept exploit that was leaked online by the Scattered Lapsus$ Hunters cybercrime group. Their investigation revealed that CVE-2025-61882 actually functions as a vulnerability chain, allowing threat actors to achieve remote code execution with just a single HTTP request, completely bypassing authentication requirements.

CrowdStrike analysts reported that they first observed the Clop ransomware gang leveraging this vulnerability as a zero-day starting in early August. The primary objective of these attacks has been the theft of sensitive documents. While CrowdStrike assesses with moderate confidence that the threat actor GRACEFUL SPIDER is likely involved, they also caution that multiple threat groups may be exploiting this same vulnerability. The first confirmed instance of exploitation was recorded on August 9, 2025, though this date could be revised as investigations continue.

The cybersecurity firm further warned that the public disclosure of the proof-of-concept on October 3, 2025, combined with the release of the official patch, will almost certainly motivate other threat actors, especially those with experience targeting Oracle EBS, to develop their own weaponized exploits. These will likely be used in attacks against internet-exposed EBS applications that have not yet been secured.

In related developments, Mandiant and the Google Threat Intelligence Group confirmed that Clop has been directly emailing executives at numerous companies. These communications are part of an active extortion campaign where the gang demands ransom payments to prevent the public release of sensitive data they claim was stolen from Oracle E-Business Suite systems.

Oracle officially connected these Clop extortion emails to the CVE-2025-61882 vulnerability last week. The company is strongly urging all customers to apply the provided security updates immediately. Oracle’s standard guidance emphasizes the importance of staying on actively-supported software versions and applying all security patches and alerts without delay to mitigate such risks.

The Clop cybercrime syndicate is notorious for its history of weaponizing zero-day vulnerabilities in large-scale data theft operations. Earlier this year, the group extorted dozens of victims by exploiting a zero-day (CVE-2024-50623) in Cleo’s secure file transfer software. Their past campaigns have also involved exploiting zero-days in other widely-used file transfer solutions, including Accellion FTA, GoAnywhere MFT, and MOVEit Transfer. The MOVEit attacks alone impacted more than 2,770 organizations globally.

In a significant move highlighting the severity of the threat posed by Clop, the U.S. State Department is now offering a $10 million reward for information that could help connect the group’s ransomware activities to a foreign government.

(Source: Bleeping Computer)