UPDATE: On the emerging CL0P extortion campaign targeting Oracle E-Business Suite (EBS) customers, we can now confirm the actor likely exploited a zero-day vulnerability (CVE-2025-61882) to steal data.
Here are the critical updates:
➡️ Confirmed Data Exfiltration: We’ve confirmed the actor successfully exfiltrated large volumes of data from victim environments in August 2025. During negotiations, CL0P actors have provided legitimate file listings to victims as proof of theft. In some cases, there is evidence of terabytes of data being stolen.
➡️ Zero-Day Exploited: The actor likely exploited multiple vulnerabilities, including CVE-2025-61882, a critical (CVSS 9.8) vulnerability that allows for unauthenticated remote code execution.
➡️ Patch is Available: Oracle has released a security alert and patches. We thank them for their collaboration and rapid response.⚠️ ACTION REQUIRED:
Given that this zero-day was exploited before a patch was available, applying the patch now is not enough. Organizations must investigate their environments for evidence of historical compromise. Search email content for addresses [email protected] and [email protected] to identify if your organization is being extorted by CL0P.Thanks to the teams at Oracle, Google Threat Intelligence Group, and Mandiant (part of Google Cloud), who are working around the clock on this, and to our other partners for their continued collaboration.
Oracle Security Alert for CVE-2025-61882: https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
Source: Austin Larsen, LinkedIn