Hackers have exploited a zero-day vulnerability in Oracle E-Business Suite (EBS) as part of a large-scale extortion campaign linked to the Clop ransomware group, according to Google’s Threat Intelligence Group (GTIG).

The campaign began on September 29, 2025, when threat actors sent extortion emails to executives across multiple industries, claiming to have stolen sensitive data from Oracle EBS systems. 

The emails included file listings from compromised environments as evidence and demanded ransom payments to prevent public leaks.

Oracle initially suggested the attackers may have leveraged older vulnerabilities patched in July but later confirmed that a zero-day flaw, now tracked as CVE-2025-61882, *was used against unpatched systemsEmergency fixes were released on October 4, followed by an additional patch (CVE-2025-61884) on October 11.

Zero-Day Active Weeks Before Patch

Investigations show that the flaw had been exploited as early as August 9, 2025—weeks before any patch was available. Logs indicate that Oracle’s UiServlet and SyncServlet components were targeted, enabling remote code execution and data theft.

The attackers deployed multi-stage Java implants—identified as the GOLDVEIN and SAGE malware families—to deliver payloads directly into Oracle databases. Once inside, they executed reconnaissance commands such as ifconfig, netstat, and ps -aux to map internal systems.

Clop-Linked Campaign

The extortion emails were distributed from hundreds of compromised third-party accounts using contact addresses historically tied to the Clop data leak site ([email protected], [email protected]). 

GTIG has not yet issued a formal attribution, though the tactics align with FIN11—a financially motivated group known for exploiting managed file transfer software like MOVEit and GoAnywhere.

Oracle’s Response

Oracle has urged all EBS customers to apply the latest Critical Patch Updates without delay. The company stated that systems updated with the October 11 release should no longer be vulnerable to known exploit paths.

Recommended Mitigations

Security experts recommend organizations to apply following mitigations:

  • Apply the latest Oracle patches for CVE-2025-61882 and CVE-2025-61884 immediately.
  • Review EBS databases for unauthorized templates or scripts.
  • Restrict outbound traffic from EBS servers to limit potential data exfiltration.
  • Monitor network logs for abnormal activity related to UiServlet and SyncServlet endpoints.

Conduct memory and process forensics to detect signs of Java-based implants.

This incident underscores a growing trend of mass exploitation and data extortion campaigns that target enterprise software before vendors can patch critical flaws. Analysts caution that similar attacks against business-critical applications are likely to continue in the months ahead.