Article Details

Clop crew hits Oracle E-Business Suite users with fresh zero-day. Big Red rushes out patch for 9.8-rated flaw after crooks exploit it for data theft and extortion. Oracle rushed out an emergency fix over the weekend for a zero-day vulnerability in its E-Business Suite (EBS) that criminal crew Clop has already abused for data theft and extortion. The flaw, tracked as CVE-2025-61882, allows unauthenticated remote code execution and carries a CVSS severity score of 9.8 – the kind of score that tells security teams this one can't wait. The bug marks the latest twist in a saga that began when Oracle warned last week that Clop had been exploiting older, unpatched EBS flaws in a wave of extortion attacks. At the time, the company said the activity was tied to vulnerabilities addressed in its July Critical Patch Update. However, the crooks had a fresh ace up their sleeve: a previously unknown zero-day that Oracle now admits was being used in the same campaign. Mandiant confirmed to The Register that Clop has exploited multiple vulnerabilities in Oracle's EBS, including this new zero-day. In a post on LinkedIn, Mandiant CTO Charles Carmakal elaborated, warning of "mass exploitation" by Clop. "Clop exploited multiple vulnerabilities in Oracle EBS which enabled them to steal large amounts of data from several victims in August 2025," he wrote. "CVE-2025-61882 is a critical (9.8 CVSS) vulnerability that enables unauthenticated remote code execution. Given the broad mass 0-day exploitation that has already occurred... organizations should examine whether they were already compromised." Oracle is also sounding the alarm bells, warning in its advisory that the vulnerability "may be exploited over a network without the need for a username and password." Indicators of compromise shared by the company also suggest that Scattered Lapsus$ Hunters, a group thought to be a rebrand of the chaotic Lapsus$ collective, may have had access to the same exploit. The crew resurfaced last week with a new leak site boasting fresh data dumps, raising the possibility of overlapping operations or shared tooling between Lapsus$ offshoots and Clop. Clop, for its part, has spent much of 2025 diversifying beyond ransomware encryption into pure data theft and extortion, echoing tactics honed during its MOVEit spree two years ago. In this case, Carmakal said the gang has been firing off extortion emails to executives since last Monday, claiming to hold sensitive files stolen from EBS servers and demanding payment to keep them off the dark web. Not every victim has reportedly been contacted, suggesting there could be more fallout to come. While Oracle has moved quickly to plug the zero-day, the damage may already be done. The company's own blog post, published after the patch dropped, acknowledges that exploitation preceded the release, and Mandiant expects "n-day" exploitation to continue as other actors seize on the now-public flaw details. Oracle has not responded to The Register's questions about how many customers have been affected, what types of data have been stolen, or whether it has received any communication from the attackers. For now, the advice from both Oracle and Mandiant is straightforward: patch immediately, assume compromise, and start digging. As Carmakal put it, mass exploitation has already happened – and the only real question left is who's next.