Clop Attacks Oracle E-Business Suite Users with 0-Day Vulnerability

Last week, Oracle warned customers about a critical 0-day vulnerability in its E-Business Suite (CVE-2025-61882) that allows remote execution of arbitrary code without authentication. It has now been confirmed that the Clop ransomware group has been actively exploiting this flaw in real-world attacks since August 2025.

0-Day Under Active Exploitation

The vulnerability was identified in the Oracle Concurrent Processing component of the BI Publisher Integration module within Oracle E-Business Suite and received a CVSS score of 9.8. The severity stems from the absence of authentication requirements and the ease of exploitation.

According to Oracle, the flaw affects versions 12.2.3 through 12.2.14 of E-Business Suite. The company issued an emergency patch, but noted that customers must first apply the October 2023 Critical Patch Update before installing the new fix.

Because a public proof-of-concept (PoC) exploit already existed and was being leveraged in attacks, Oracle urged administrators to apply the patch immediately.

Charles Carmakal, Chief Technology Officer at Mandiant, confirmed that CVE-2025-61882 along with several other vulnerabilities addressed in Oracle’s July update had been exploited by Clop to steal data from Oracle E-Business Suite servers as early as August 2025.

Before Oracle released the patch, experts from Mandiant and Google’s Threat Intelligence Group (GTIG) had already begun tracking a malicious campaign linked to this vulnerability. Several unnamed organizations reportedly received extortion emails from the attackers, claiming that Clop had stolen their E-Business Suite data and demanding ransom to prevent its publication.

Researchers at CrowdStrike corroborated these findings, noting that they first observed Clop exploiting CVE-2025-61882 in early August 2025.

“CrowdStrike Intelligence assesses with moderate confidence that GRACEFUL SPIDER is likely involved in this campaign,” the analysts stated. “We cannot rule out the possibility that CVE-2025-61882 is being exploited by multiple threat groups. The first known exploitation occurred on August 9, 2025, though investigations are ongoing.”

The Exploit and Attribution

As reported by BleepingComputer, although the Clop group is believed to be responsible for both the data theft and exploitation of the 0-day, the first public mention of the vulnerability came from the Scattered Lapsus$ Hunters — a coalition of members from Scattered Spider, LAPSUS$, and ShinyHunters.

This group posted two files referencing Clop on Telegram, effectively revealing the existence of the 0-day before Oracle’s official disclosure.

One of them (GIFT_FROM_CL0P.7z) contained Oracle source code, allegedly related to support.oracle.com. Later, Scattered Lapsus$ Hunters claimed that this code was stolen during the hack of Oracle Cloud in February 2025.

The second file (ORACLE_EBS_NDAY_EXPLOIT_POC_SCATTERED_LAPSUS_RETARD_CL0P_HUNTERS.zip) allegedly contained the actual exploit for Oracle E-Business Suite used by Clop. The archive contained a readme.md instruction file and two Python scripts—exp.py and server.py. These scripts are used to exploit vulnerable Oracle E-Business Suite installations: they either execute an arbitrary command or open a reverse shell, connecting to the attackers' servers.

It is currently unclear how Scattered Lapsus$ Hunters gained access to the exploit or what their connection to Clop is. The hackers themselves claim that one of the people with whom they shared the exploit may have passed it on or sold it to Clop.

"This was my exploit, like with the SAP one that was later stolen by CCP. I was upset that another one of my exploits was being used by another group in an unfortunate way, so we leaked it. No hard feelings towards Clop," stated a member of the group.

As discovered by researchers from watchTowr Labs, who reverse-engineered the exploit leaked online by Scattered Lapsus$ Hunters and dated May 2025, CVE-2025-61882 is actually a chain of vulnerabilities that allows attackers to achieve remote code execution without authentication using just a single HTTP request.