A sophisticated cybercrime group known as Clop has been caught exploiting a previously unknown—or “zero-day”—vulnerability in Oracle’s widely used E-Business Suite (EBS) to steal sensitive personal information belonging to corporate executives, according to security researchers and Oracle itself[2][3]. The attacks, which began surfacing last week, have already led to large-scale data theft and a wave of extortion emails targeting top-level management at organizations around the world[1][4].
## The Vulnerability and Its Exploitation
The flaw, tracked as CVE-2025-61882, is a critical security...
The flaw, tracked as CVE-2025-61882, is a critical security hole in the Concurrent Processing component of Oracle E-Business Suite, specifically in its integration with BI Publisher[3][4]. With a maximum severity rating of 9.8 on the Common Vulnerability Scoring System (CVSS), this vulnerability allows attackers to execute arbitrary code on affected systems remotely—without needing a username or password[2][3]. Oracle has confirmed that the vulnerability impacts EBS versions 12.2.3 through 12.2.14[3][4].
Security firm Mandiant, which collaborated with Oracle to in...
Security firm Mandiant, which collaborated with Oracle to investigate the incident, reported that the Clop group—a notorious ransomware operator—combined this zero-day with previously patched vulnerabilities to gain access to corporate networks[1][4]. Once inside, the attackers exfiltrated large volumes of sensitive data, including executive personnel files, customer records, and human resources information[2][3].
## The Attack Campaign
The campaign began in earnest in late September, when execut...
The campaign began in earnest in late September, when executives at affected companies started receiving extortion emails claiming that their Oracle EBS systems had been compromised and that their data had been copied[1][4]. The emails, which researchers traced back to previously compromised accounts associated with the FIN11 cybercrime group, threatened to release the stolen information unless payment was made[4].
Oracle initially believed the attacks were limited to vulner...
Oracle initially believed the attacks were limited to vulnerabilities patched in July, but over the weekend, the company’s chief security officer, Rob Duhart, confirmed that a previously unknown zero-day had also been exploited[2][4]. This admission marked a significant escalation, as it indicated that attackers had discovered and weaponized a flaw before Oracle had a chance to fix it.
## Response and Mitigation
Oracle has issued an emergency patch to address the zero-day...
Oracle has issued an emergency patch to address the zero-day vulnerability and is urging all customers to install the update as soon as possible[2][3]. The company has also published indicators of compromise (IoCs) to help organizations detect whether their systems have been breached[2][4]. However, security experts warn that the window for proactive defense may have already closed for some victims, given the speed and scale of the exploitation[1][4].
Mandiant’s Charles Carmakal emphasized that organizations sh...
Mandiant’s Charles Carmakal emphasized that organizations should assume they may have already been compromised, even if they apply the patch promptly, due to the broad exploitation that has already occurred[4]. Researchers at watchTowr noted that, while the initial attack chain was complex, the public release of exploit code has lowered the barrier for other threat actors to join the fray[1].
## Broader Implications
This incident is the latest in a string of high-profile atta...
This incident is the latest in a string of high-profile attacks attributed to the Clop group, which has previously exploited zero-day vulnerabilities in file transfer software such as MOVEit and Cleo to steal and extort data from thousands of organizations worldwide[1][4]. The group’s ability to repeatedly identify and weaponize unknown flaws in enterprise software highlights the growing sophistication and persistence of cybercriminal organizations.
For businesses relying on Oracle E-Business Suite, the incid...
For businesses relying on Oracle E-Business Suite, the incident is a stark reminder of the risks posed by unpatched systems and the importance of rapid response to security advisories. As the digital landscape grows more hostile, organizations are being urged to adopt a proactive stance on cybersecurity, including continuous monitoring, timely patching, and comprehensive incident response planning.
## What’s Next?
With exploit code now in the wild, security researchers expe...
With exploit code now in the wild, security researchers expect a surge in copycat attacks from other cybercrime groups[1]. Oracle and its partners are continuing to investigate the scope of the breach and are working to assist affected customers. Meanwhile, law enforcement and cybersecurity agencies are likely to intensify their focus on disrupting the operations of groups like Clop, whose activities now pose a significant threat to global business operations.
In summary, the exploitation of CVE-2025-61882 by the Clop g...
In summary, the exploitation of CVE-2025-61882 by the Clop group represents a critical escalation in the targeting of enterprise software, with far-reaching consequences for data security and corporate privacy. All Oracle EBS customers are advised to apply the latest patches immediately and to remain vigilant for signs of compromise[2][3][4].
🔄 Updated: 10/6/2025, 5:20:16 PM
Experts warn that the Clop ransomware group exploited Oracle E-Business Suite's critical zero-day vulnerability CVE-2025-61882, with a CVSS severity score of 9.8, to steal large volumes of executives’ data in August 2025 by chaining it with earlier patched flaws, underscoring sophisticated attack complexity now lowered by leaked exploit code[1][3]. Charles Carmakal, CTO of Mandiant Consulting, noted the scale of data theft and urged firms to investigate potential compromises regardless of patch status, while Jake Knott of watchTowr highlighted that with the exploit now public, multiple threat actors are expected to rapidly weaponize it[1][3][4]. Oracle's emergency patch requires prior July
🔄 Updated: 10/6/2025, 5:30:20 PM
Clop ransomware hackers exploited a critical Oracle E-Business Suite zero-day vulnerability, CVE-2025-61882, with a CVSS severity score of 9.8, enabling unauthenticated remote code execution in the Oracle Concurrent Processing component. This flaw, affecting versions 12.2.3 to 12.2.14, allowed attackers to steal large volumes of executives’ data by remotely taking over background task processing without needing credentials, as confirmed by Mandiant and Oracle researchers who collaborated on the investigation. Oracle has released emergency patches, urging immediate updates following the July 2025 critical patch, as exploit code is now publicly available, significantly lowering the attack complexity and risk of wider exploitation by other threat actors. [1][
🔄 Updated: 10/6/2025, 5:40:21 PM
The Clop ransomware group exploited a critical zero-day vulnerability, **CVE-2025-61882**, in Oracle E-Business Suite’s BI Publisher Integration component, enabling unauthenticated remote code execution with a CVSS score of 9.8. This zero-day flaw, affecting versions 12.2.3 through 12.2.14, was actively utilized since August 2025 to steal large volumes of executive data, leading to an extortion campaign starting in late September, according to Mandiant and Oracle security researchers[1][2][3][4]. The attack chain combined this zero-day with previously patched vulnerabilities from July, and the leak of exploit code has lowered the barrier for other threat actors to follow suit,
🔄 Updated: 10/6/2025, 5:50:26 PM
Security experts warn that the Clop ransomware group exploited the critical Oracle E-Business Suite zero-day vulnerability CVE-2025-61882, with a CVSS severity score of 9.8, to steal large volumes of executives' sensitive data in August 2025[1][3]. Charles Carmakal, CTO of Mandiant Consulting (Google Cloud), emphasized that Clop combined this zero-day with previously patched vulnerabilities, enabling unauthenticated remote code execution and data theft, followed by extortion emails demanding ransom[1][3][4]. Jake Knott, principal security researcher at watchTowr, noted that leaked exploit code has lowered the barrier for other attackers, raising concerns about further widespread exploitation[1].
🔄 Updated: 10/6/2025, 6:00:27 PM
Hackers linked to the Clop ransomware gang have exploited a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite to steal large volumes of executives' data, launching an extortion campaign since early last week. Oracle and Mandiant researchers confirmed the flaw, with a severity score of 9.8, allows unauthenticated remote code execution impacting versions 12.2.3 through 12.2.14, and urged customers to apply the July patch, though attackers continue to send extortion emails leveraging the stolen information[1][2][3]. Clop, known for high-profile breaches including the MOVEit hack in 2023, has escalated pressure on victims by threatening public data
🔄 Updated: 10/6/2025, 6:10:35 PM
Clop ransomware operators exploited a critical zero-day vulnerability, CVE-2025-61882, in Oracle E-Business Suite’s BI Publisher Integration within the Oracle Concurrent Processing component, allowing unauthenticated remote code execution and full system takeover with a 9.8 severity score. The attack involved chaining this flaw with others released in July patches, enabling Clop to steal large volumes of executive-level data from affected organizations and launch extortion campaigns via threatening emails since August 2025, as confirmed by Mandiant’s CTO Charles Carmakal[1][3][4]. The availability of leaked exploit code has lowered the entry barrier for attackers, raising concerns about further widespread exploitation by multiple threat actors[1].
🔄 Updated: 10/6/2025, 6:20:38 PM
Clop ransomware operators exploited a critical zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61882) affecting versions 12.2.3 to 12.2.14, enabling unauthenticated remote code execution with a CVSS score of 9.8, targeting the BI Publisher Integration component in Oracle Concurrent Processing[1][2][3][4]. This flaw allowed the hackers to steal large volumes of executives’ sensitive data starting in August 2025, followed by extortion emails since late September demanding ransom for the stolen information[1][3][4]. Researchers warn the recent leak of exploit code significantly lowers the attack barrier, increasing the risk of multiple threat actors exploiting the vulnerability until organizations apply Oracle’s
🔄 Updated: 10/6/2025, 6:30:46 PM
Clop hackers exploited a critical zero-day vulnerability tracked as CVE-2025-61882 in Oracle E-Business Suite (versions 12.2.3 to 12.2.14), which allows unauthenticated remote code execution in the Oracle Concurrent Processing component with a CVSS score of 9.8[1][2][3]. The group used this flaw along with other vulnerabilities to steal large volumes of executives’ data in August 2025 and began extortion campaigns via email in late September, threatening to release the stolen information unless paid[1][3][4]. Oracle and Mandiant researchers emphasized the urgency to apply emergency patches released after July 2025, warning that leaked exploit code now lowers the attack complexity
🔄 Updated: 10/6/2025, 6:40:40 PM
**Breaking News Update:** The Clop hackers' exploitation of the Oracle E-Business Suite zero-day vulnerability (CVE-2025-61882) has sparked a global response, with thousands of organizations worldwide potentially affected. Oracle's chief security officer, Rob Duhart, has urged customers to install the emergency patch immediately, highlighting the vulnerability's ability to be exploited without authentication[4][5]. Mandiant's CTO, Charles Carmakal, warns that Clop's campaign, which began last Monday, may continue as other groups acquire the exploit code, emphasizing the need for proactive investigations[1][5].
🔄 Updated: 10/6/2025, 6:50:44 PM
Following the revelation that Clop hackers exploited an Oracle E-Business Suite zero-day vulnerability (CVE-2025-61882) to steal executives’ data, Oracle’s stock experienced increased volatility on Monday, October 6, 2025. Although precise intraday price swings were not publicly detailed, market analysts noted heightened investor caution due to concerns over potential widespread data breaches among Oracle’s enterprise customers[1][2]. Security experts emphasized the urgency of patching, reflecting in cautious trading as uncertainty persists about the full impact of the extortion campaign linked to Clop, one of the world's most prolific ransomware groups[1][3].
🔄 Updated: 10/6/2025, 7:00:49 PM
**NEWS UPDATE:**
The Clop ransomware group is actively exploiting a critical zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61882), stealing sensitive data—including personal information of corporate executives—from organizations globally that use versions 12.2.3 through 12.2.14[2][4]. Mandiant reports that “large amounts of data” were exfiltrated from several victims in August 2025, with extortion emails sent to company executives since October 2025[2]. Oracle has issued an emergency patch and urged thousands of international customers to update immediately, as the flaw is remotely exploitable without authentication, leaving systems worldwide exposed until patched[3][5].
🔄 Updated: 10/6/2025, 7:10:41 PM
Clop hackers exploited a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite to steal large volumes of executive data from multiple global organizations, triggering an extensive international extortion campaign that began in August 2025[1][2]. Oracle and Mandiant researchers confirmed thousands of enterprises worldwide were at risk due to the flaw’s high severity (CVSS 9.8) and ease of exploitation over the network without authentication, prompting urgent global patch advisories and collaborative investigations[3][4]. Security experts warn this breach has heightened the threat landscape internationally, with multiple cybercriminal groups expected to leverage the leaked exploit code, pushing governments and corporations to accelerate protective measures across sectors[1][4][5
🔄 Updated: 10/6/2025, 7:20:55 PM
In a recent escalation, the Clop ransomware group has exploited a high-severity zero-day vulnerability, tracked as **CVE-2025-61882**, in Oracle's E-Business Suite to steal sensitive data from executives. This vulnerability, with a CVSS score of 9.8, allows for unauthenticated remote code execution via the BI Publisher integration component, impacting versions 12.2.3 through 12.2.14[1][2][3]. As researchers at watchTowr noted, the attack is now more accessible with leaked exploit code, potentially leading to broader exploitation by other threat actors[1].
🔄 Updated: 10/6/2025, 7:31:05 PM
The Clop ransomware group exploited a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite to steal large amounts of executives' data, launching an extortion campaign since early last week with threatening emails sent to multiple corporate victims[1][2]. The flaw, carrying a severity score of 9.8, allows unauthenticated remote code execution in the Oracle Concurrent Processing component, affecting versions 12.2.3 through 12.2.14; Oracle urged customers to apply a critical patch initially released in July 2025[1][2][5]. Mandiant and Oracle security teams are actively investigating the attacks, with researchers warning that leaked exploit code now lowers the barrier for other threat
🔄 Updated: 10/6/2025, 7:41:08 PM
The Clop ransomware group exploited multiple Oracle E-Business Suite vulnerabilities, including the critical zero-day CVE-2025-61882 with a CVSS score of 9.8, allowing unauthenticated remote code execution via the BI Publisher Integration component over HTTP. The attacks, starting in August 2025, targeted versions 12.2.3 through 12.2.14, enabling attackers to steal large volumes of sensitive executive data and subsequently launch extortion campaigns using stolen information[1][2][3][4]. Oracle released patches in July and an emergency update on October 4, 2025, along with indicators of compromise to help customers detect and mitigate these threats, but the public leak of exploit code raises the risk