A sophisticated cyberattack campaign by the CL0P ransomware group is targeting Oracle E-Business Suite (EBS) environments through a zero-day vulnerability, affecting numerous organizations globally. The attack, which began in early August 2025, exploits the critical vulnerability CVE-2025-61882, which remained unpatched for months. The attackers launched a large-scale extortion campaign in late September, sending emails to corporate executives claiming to have stolen sensitive data from their Oracle EBS systems. These emails, sent from compromised third-party accounts, included legitimate file listings from victim environments. The extortion messages were linked to contact addresses associated with the CL0P data leak site since May 2025.
Oracle first reported the vulnerability exploitation in early October and recommended applying critical patch updates from July 2025. However, emergency patches were released on October 4, 2025, specifically addressing the zero-day vulnerability after discovering it had been exploited for weeks. The vulnerability involves multiple attack vectors, allowing remote code execution on Oracle EBS servers. Google’s analysis identified distinct exploitation chains targeting different servlet components within the EBS infrastructure.
In August, attackers began exploiting the SyncServlet component, initiating attacks with POST requests. They used the XDO Template Manager functionality to create malicious templates within the EBS database, triggering payloads through the Template Preview functionality. The attackers deployed a sophisticated multi-stage Java implant framework, including a downloader communicating with command-and-control servers.
Following successful exploitation, threat actors conducted reconnaissance and established reverse shells to a specific IP address. The attack pattern mirrors previous CL0P campaigns, suggesting continuity in their methods. Security experts recommend applying Oracle’s emergency patches, hunting for malicious database templates, restricting outbound internet access from EBS servers, and monitoring for suspicious requests. Organizations should query specific database tables to identify suspicious templates, as payloads are stored directly within the EBS infrastructure. Indicators of compromise include several IP addresses observed in exploitation attempts.
