Cl0p Extortion Campaign Claims Theft via Oracle E-Business Suite

Type

Campaign

Actors

0️⃣Cl0p

Pub. date

October 2, 2025

Initial access

0-day vulnerability1-day vulnerability

Impact

RansomOp

Observed techniques

Vulnerability exploitation

Observed tools

Cl0p ransomware

Targeted technologies

Oracle E-Business Suite

References

https://www.oracle.com/security-alerts/cpujul2025.html#AppendixEBShttps://techcrunch.com/2025/10/02/hackers-are-sending-extortion-emails-to-executives-after-claiming-oracle-apps-data-breach

Status

Finalized

Last edited

Oct 9, 2025 9:50 AM

In an October 1st Bloomberg article, Halcyon, a cybersecurity company responding to a related incident, has stated that the attackers gained access to the data by compromising user emails and abusing the default password-reset function. On October 2nd, Oracle posted a statement on their blog, saying that they are aware of the extortion emails and said that they found the potential use of vulnerabilities patched in their July 2025 Critical Patch Update. This update patched nine vulnerabilities affecting supported versions 12.2.3 - 12.2.13.

On October 5th, Oracle disclosed CVE-2025-61882 affecting E-Business Suite, exploited in-the-wild as a 0-day vulnerability.