CL0P Ransomware Attack on Oracle E-Business Suite

Oracle E-Business Suite (EBS) – is a collection of enterprise business applications that provides a way to manage finance, human resources, supply chain, projects, and customer operations, basically, it helps organizations to run their core business processes.

A critical zero-day vulnerability CVE-2025-61882 was discovered and exploited in Oracle EBS. It lets attackers to remotely access and take control of the system without needing to log in. The flaw is in BI Publisher – Concurrent Processing integration, a module used to format and render reports (PDF, Excel, HTML). BI Publisher is deeply integrated into the EBS application stack, attackers were able to exploit this link to compromise the system’s internal processing.

Oracle officially disclosed CVE-2025-61882 on October 4, 2025, and security firms reported that exploitation had already begun on August 9, 2025. Between September 29 and October 2, victims began receiving extortion emails from the attackers claiming to have compromised their EBS systems.

How it happened?

In Oracle EBS, administrators or system components can request BI Publisher to generate reports. In certain operations, a return_url parameter is used to fetch additional instructions or templates (XSL stylesheets) for formatting the output. That stylesheet controls how the report content is rendered.

Attackers discovered that the EBS server would automatically downloads and executes this XSL file without proper validation. They crafted a malicious return_url pointing to their own controlled server hosting a malicious XSL stylesheet. When EBS fetched this file, the XSLT engine and javax.script.ScriptEngine were abused (via Runtime.getRuntime().exec() or similar) to execute OS commands thereby achieving remote code execution on the Oracle server.

The Cl0p ransomware group is widely claimed to be responsible for the extortion campaign. Many of the extortion emails explicitly mention Cl0p.

How is it known to the world?

The Cl0p ransomware group began sending extortion emails to affected organizations starting September 29, attaching screenshots and other evidence to support their claims.

On October 2, 2025, this email campaign became public when researchers from Google Cloud’s Mandiant and CrowdStrike warned about these extortion emails targeting Oracle customers.

Between October 3 and 4, hackers shared an exploit toolkit through Telegram and other public forums.

On October 4, 2025, Oracle officially confirmed the vulnerability by releasing a Security Alert detailing its severity, affected versions, and security patches.

What is the Impact?

Attackers can gain full control over the EBS application server process, especially the Concurrent Processing component from there, they can steal sensitive business data which includes financial records, HR information, customer PII, etc. They can demand ransom and threatening to publish the stolen data if ransom is not paid.

Since the vulnerability is unauthenticated remote code execution, it received a CVSS (Common Vulnerability Scoring System) score of 9.8 which is critical. The leaked exploit code can be reused by others increasing the risk and likely causing more attacks.

Organizations face potential consequences such as loss of business trust, regulatory penalties, cost of recovery and damage to reputation.

What are the Preventive Measures?

Oracle strongly recommends that EBS versions 12.2.3 through 12.2.14 customers apply the updates provided by this Security Alert as soon as possible. The October 2023 Critical Patch Update is a required prerequisite before applying these updates. 

In addition to patching, organization should:

• Restrict access to BI Publisher and all EBS administrative interfaces, minimizing public internet exposure by using strong firewalls, VPNs.

• Monitor for unusual activity, such as outbound connections, script execution, failed login attempts, or known indicators of compromise (IoCs) published in Oracle’s alert for threat hunting.

• Maintain regular, offline backups of critical systems and data.

• Be prepared to isolate affected systems immediately if exploitation is detected.

Sources

https://www.oracle.com/security-alerts/cve-2025-61882verbose.html/ 

https://www.oracle.com/security-alerts/alert-cve-2025-61882.html/

https://www.crowdstrike.com/en-us/blog/crowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882/

https://www.rapid7.com/blog/post/etr-cve-2025-61882-critical-0day-in-oracle-e-business-suite-exploited-in-the-wild/

https://www.tenable.com/blog/cve-2025-61882-faq-oracle-e-business-suite-zero-day-cl0p-and-july-2025-cpu

https://nvd.nist.gov/vuln/detail/CVE-2025-61882