The Cl0p threat group recently claimed to have exploited a zero-day vulnerability in Oracle’s E-Business Suite (EBS) to steal data from an unknown number of victims. The vulnerability, tracked as CVE-2025-61882 and given a CVSS score of 9.8 (out of 10), can result in remote code execution and does not need authentication to be exploited. Oracle initially advised that Cl0p’s activity affected those who did not apply their July 2025 Critical Patch Update, only to publish an emergency alert on October 4th with a patch for the newly discovered CVE-2025-61882.
What’s Notable and Unique
- Neither Oracle nor Cl0p has yet disclosed any victim names or the extent of the breach. On October 9th, the Cl0p posted a message on their data leak site (DLS) indicating all victims had been contacted and urging them to establish a dialogue to prevent publication. Additionally, the new contact emails on their DLS match those observed in the extortion emails published in open-source reports.
- In addition to Cl0p, researchers believe other threat groups may also have had access to the same exploit, including Scattered Lapsus$ Hunters, a newly formed collective believed to be responsible for the recent Salesloft data breach.
Analyst Comments
Given the severity of this vulnerability, any organizations impacted should immediately patch their software and refer to the indicators of compromise provided by Oracle for detection and containment. However, for organizations already in receipt of communication from Cl0p , patching is unlikely to provide valuable mitigation. Although Arete has observed that individual Cl0p incidents have been on the decline since 2023, this attack continues Cl0p’s yearly pattern of exploiting a high-impact vulnerability to access massive amounts of data from multiple victims. Last year, Cl0p was able to perform a similar attack by exploiting a vulnerability in the Cleo file transfer software, and in 2023, had success exploiting vulnerabilities in the MOVEit file transfer software and the GoAnywhere platform to steal data from multiple organizations. As with these previous incidents, this current breach highlights the associated risks of organizations’ use of third-party software.
Sources
Oracle Security Alert Advisory – CVE-2025-61882
Clop crew hits Oracle E-Business Suite users with fresh zero-day
Clop exploited Oracle zero-day for data theft since early August
Related Resources
![]()
Ransomware Trends & Data Insights: September 2025
Akira ransomware dominated August activity, with Qilin second. Arete analysts identified key cybercrime trends behind these threat actors.
Read more![]()
SonicWall Discloses Another Breach
SonicWall cloud backup breach exposes encrypted files; users urged to follow remediation guidance to prevent further exploitation.
Read more![]()
Scattered Spider Claims to be Going Dark
The Scattered Spider cybercrime group announced it was going dark, but evidence suggests ongoing operations.
Read more
