Cl0p’s Oracle EBS Zero-Day Campaign: What We Know So Far

The Cl0p ransomware group has returned to the spotlight with a new wave of attacks that target Oracle EBS (E-Business Suite) zero-day vulnerabilities. The threat group has a long history of abusing high impact flaws in major enterprise and file transfer systems. Their past campaigns include the MOVEit Transfer breach, the GoAnywhere MFT exploitation, and later activity against Cleo managed file transfer tools. Each operation followed the same pattern. Cl0p identifies a widely used platform, finds a fresh entry point, steals large volumes of data, and pressures victims with public leaks.

The influence of the Oracle campaign is growing fast. Michelin, Canon, Mazda, Estée Lauder, Broadcom, and other global brands appeared in the latest list of 29 newly added victims. Oracle’s own name also briefly showed up on Cl0p’s leak site, which highlights the scale and the confidence behind the attack wave. As more organizations confirm impact and more datasets spread through torrents, the situation continues to escalate.

What Is Happening In The New Cl0p Campaign?

Cl0p is running a large extortion campaign that abuses Oracle E-Business Suite zero-day flaws. The group uses these vulnerabilities to access systems, steal files, and push victims into ransom talks. So far, they have listed a wide range of global companies and published many stolen datasets through torrent and magnet links.

Which Zero-Day Vulnerabilities Are Involved?

Cl0p exploits two high impact Oracle E-Business Suite zero-day vulnerabilities, both of which allow unauthenticated access to core EBS components. These flaws provide the group with a fast and reliable entry point, which explains the scale of the campaign.

The first zero-day, CVE-2025-61882, has a CVSS score of 9.8 and affects the BI Publisher Integration inside the Concurrent Processing module. This service executes background jobs across EBS. The flaw lets Cl0p run arbitrary code over HTTP without any login, giving instant control over the targeted system. The situation became worse after exploit files leaked online, making the vulnerability accessible to other actors as well.

The second zero-day, CVE-2025-61884, carries a CVSS score of 7.5 and targets the Runtime UI of Oracle Configurator. It allows remote attackers to reach sensitive configuration data and trigger internal requests through the UiServlet endpoint without credentials. CISA added CVE-2025-61884 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild and requiring federal agencies to patch it by November 10, 2025.

Both vulnerabilities affect Oracle EBS versions 12.2.3 through 12.2.14, which left a large number of organizations exposed during October. The combination of pre-auth access, leaked PoC files, and Cl0p’s aggressive extortion methods turned these flaws into powerful tools for large scale compromise.

How Were These Flaws Exploited?

Cl0p used pre-auth Remote Code Execution (RCE) paths to enter exposed EBS systems. Security teams also found leaked exploit files for CVE-2025-61882 on Telegram. Researchers linked these leaks to a group calling itself Scattered Lapsus Hunters. The exploit chain targeted the UiServlet component and allowed attackers to move inside the environment.

How Many Organizations Are Affected?

Cl0p’s Oracle EBS exploitation campaign shows wide impact, highlighting how broadly the zero-day was abused. The group lists 103 affected organizations, and 77 victim datasets already appear on torrent and magnet links. Affected sectors include finance, manufacturing, automotive, logistics, retail, education, energy, and professional services, which shows a large scale and opportunistic use of the vulnerability.

Who Are Cl0p’s Latest Victims?

Cl0p added 29 new victims, and the new names show how widely the Oracle EBS zero-day was abused. Most of the affected organizations are based in the United States (18) and span sectors such as technology, manufacturing, transportation, healthcare, consumer goods, and education. Well known names include Oracle, Broadcom, Envoy Air, Humana, Bechtel Corporation, The Estée Lauder Companies, Fruit of the Loom, L&L Products, Abbott, Greenball, WellBiz Brands, Dooney and Bourke, and the University of Phoenix.

The rest of the list covers several regions: Japan (3), France (1), Mexico (1), Saudi Arabia (1), Kuwait (1), China (1), Australia (1), Sri Lanka (1), and Pakistan (1). These additions include companies such as Mazda, Canon, Michelin, Grupo Bimbo, Aljomaih Automotive, Alshaya Group, Fleet Management Limited, Worley, MAS Holdings, and Treet Corporation.

Sector exposure in this subset shows a wide distribution. Technology (20.7%), automotive (20.7%), and consumer and retail brands (20.7%) lead the list. Healthcare and wellness (10.3%) and industrial manufacturing and chemicals (10.3%) follow, while engineering and construction (6.9%), transportation and logistics (6.9%), and education (3.4%) appear in smaller proportions. This spread indicates that Cl0p’s latest alleged victims come from diverse industries rather than a concentrated sector.

Did Any Victims Confirm the Breach?

Yes. Several organizations have publicly acknowledged impact. Harvard University, Wits University, and Envoy Air confirmed being affected in mid-October. The Washington Post also confirmed an intrusion attempt but did not provide further details. Logitech issued its confirmation more recently. Most other organizations listed by Cl0p have neither verified nor denied the claims, which keeps the overall scope of the campaign uncertain. The pattern shows that while a few high-profile victims choose to disclose, many others stay quiet while internal reviews continue.

Is This Campaign Similar To MOVEit And GoAnywhere?

Yes. The technical entry points differ, but the overall playbook is the same. Cl0p targets high value enterprise systems, looks for pre-auth flaws, gains direct access, steals large data sets, and uses public leaks for pressure. MOVEit, GoAnywhere, and Cleo followed this pattern, and the Oracle EBS activity reflects the same strategic approach.

This pattern shows that Cl0p now acts as an opportunistic mass exploitation group that focuses on data theft driven extortion, using any high-value platform with a weak point to compromise many organizations at once and maximize leverage without relying on traditional ransomware encryption.

Could Other Threat Actors Also Be Exploiting This Vulnerability?

Yes. Evidence suggests that exploitation is not limited to Cl0p. SOCRadar Dark Web News identified several discussions in hacker forums where different actors shared or advertised exploits for the same Oracle EBS flaw. One notable post, shared on June 20, claimed to offer a pre-authentication RCE exploit for Oracle EBS version 12.2.14, priced at 70,000 dollars. The seller stated that the exploit was tested only in a controlled environment, not on external targets, which often indicates early-stage development or limited operational capability.

These findings show that the vulnerability attracted interest from multiple actors, increasing the likelihood of broader exploitation beyond Cl0p’s campaign.

How Can SOCRadar Help Against Campaigns Like This?

SOCRadar helps security teams detect and respond to zero-day exploitation waves by providing early visibility into vulnerabilities, exploit activity, threat actor behavior, and dark web chatter.

Key modules that support defense against campaigns like Cl0p’s include:

• Vulnerability Intelligence: Tracks new CVEs, exploit availability, PoC circulation, and active exploitation in the wild. This helps security teams understand which vulnerabilities are weaponized and prioritize patching.
• Attack Surface Management: Maps an organization’s external exposure by detecting outdated versions, vulnerable services, misconfigurations, and publicly accessible components. This helps reduce the attack surface before exploitation occurs.
• Threat Actor Intelligence: Monitors Cl0p’s operations, victim announcements, infrastructure, IOCs, and behavioral patterns. This enables defenders to align detection rules with the group’s current tactics and campaigns.

• Dark Web Monitoring: Identifies exploit sales, data-leak posts, threat actor discussions, and leaked credentials. This is critical when groups like Cl0p share exploit code or publish stolen datasets on dark web platforms.

Together, these capabilities allow organizations to react faster, reduce exposure windows, and strengthen their defense posture against mass exploitation groups like Cl0p.