Clop exploited Oracle zero-day for data theft since early August

The Clop ransomware gang has been exploiting a critical Oracle E-Business Suite (EBS) zero-day bug in data theft attacks since at least early August, according to cybersecurity company CrowdStrike. Tracked as CVE-2025-61882 and patched by Oracle over the weekend, this vulnerability was discovered in the BI Publisher Integration component of Oracle EBS's Concurrent Processing component, allowing unauthenticated attackers to gain remote code execution on unpatched systems in low-complexity attacks that don't require user interaction. However, as watchTowr Labs security researchers found while reverse-engineering a proof-of-concept (PoC) exploit leaked online by the Scattered Lapsus$ Hunters cybercrime gang (with a May 2025 timestamp), CVE-2025-61882 is actually a vulnerability chain that can let threat actors gain remote code execution without requiring authentication using a single HTTP request. On Monday, CrowdStrike analysts reported that they had first spotted the Clop ransomware gang exploiting CVE-2025-61882 as a zero-day since early August to steal sensitive documents, adding that other threat groups may have also joined the attacks. "CrowdStrike Intelligence assesses with moderate confidence that GRACEFUL SPIDER is likely involved in this campaign but cannot rule out the possibility that multiple threat actors have exploited CVE-2025-61882. The first known exploitation occurred on August 9, 2025; however, investigations remain ongoing, and this date is subject to change," CrowdStrike said. "CrowdStrike Intelligence further assesses that the October 3, 2025 proof-of-concept (POC) disclosure and the CVE-2025-61882 patch release will almost certainly encourage threat actors — particularly those familiar with Oracle EBS — to create weaponized POCs and attempt to leverage them against internet-exposed EBS applications." Mandiant and the Google Threat Intelligence Group (GTIG) told BleepingComputer last week that Clop has been emailing executives at multiple companies as part of an ongoing extortion campaign, requesting ransoms to prevent sensitive data allegedly stolen from their Oracle E-Business Suite systems from being leaked online. Clop extortion email (Google) On Thursday, Oracle linked the extortion emails claimed by the Clop cybercrime gang to the CVE-2025-61882 Oracle EBS vulnerability, urging customers to prioritize patching this actively exploited flaw. "Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible. Oracle always recommends that customers remain on actively-supported versions and apply all Security Alerts and Critical Patch Update security patches without delay," it warned. The Clop extortion group has a long history of abusing zero-day flaws in massive data theft campaigns, most recently extorting dozens of victims in January, after stealing their files in attacks targeting a zero-day vulnerability (CVE-2024-50623) in Cleo's secure file transfer software. Previously, Clop was linked to multiple other data theft campaigns targeting zero-days in Accellion FTA, GoAnywhere MFT, and MOVEit Transfer, with the latter impacting over 2,770 organizations. The U.S. State Department now also offers a $10 million reward for any information that could help link Clop's ransomware attacks to a foreign government.