"The recent data theft and extortion campaign targeting Oracle E-Business Suite customers has been confirmed to be the work of the notorious Cl0p ransomware group, and Oracle has admitted that the hackers have exploited a zero-day vulnerability. The attacks targeting Oracle E-Business Suite (EBS) customers came to light last week, when Google Threat Intelligence Group (GTIG) and Mandiant warned that executives at many organizations using the enterprise resource planning product received extortion emails."
"While Oracle initially said the recent EBS data theft campaign involved exploitation of unspecified vulnerabilities patched in July, on Saturday the software giant's CSO, Rob Duhart, confirmed that a zero-day has also been leveraged by the attackers. The zero-day flaw is tracked as CVE-2025-61882 and it can be exploited for remote code execution by an unauthenticated attacker. The vulnerability, which impacts Oracle E-Business Suite versions 12.2.3-12.2.14, has been assigned a 'critical' severity rating with a CVSS score of 9.8."
Cl0p targeted Oracle E-Business Suite (EBS) customers, stealing data from instances in August and sending extortion emails in late September. Google Threat Intelligence Group (GTIG) and Mandiant observed extortion messages sent from compromised accounts previously linked to the FIN11 group. Mandiant confirmed Cl0p responsibility after initial uncertainty. Cl0p has a history of exploiting zero-days in enterprise file transfer products such as MOVEit and Fortra. Oracle confirmed that attackers leveraged a zero-day, tracked as CVE-2025-61882, enabling unauthenticated remote code execution. The flaw affects Oracle E-Business Suite versions 12.2.3–12.2.14, is rated critical with CVSS 9.8, and impacts BI Publishing.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]