CL0P-Linked Hackers Breach Dozens of Organizations via Oracle E-Business Suite Zero-Day
A significant new wave of cyberattacks attributed to threat actors linked to the Cl0p ransomware group is targeting Oracle E-Business Suite (EBS) deployments worldwide. Since early August, dozens of organizations have reported breaches, with attackers exploiting a previously unknown vulnerability, CVE-2025-61882, scoring 9.8 on the CVSS scale. This campaign showcases how threat actors are combining multiple vulnerabilities in enterprise applications to gain remote code execution, exfiltrate data, and extort organizations. Security experts warn that these types of multi-vector zero-day attacks are becoming increasingly common in the cybercrime ecosystem.
Attack Timeline and Discovery
The attack wave began in earnest on September 29, 2025, but researchers discovered suspicious activity dating back to July 10, 2025. The attackers’ campaign started with high-volume spear-phishing emails launched from hundreds of compromised third-party accounts, targeting company executives and IT administrators. The campaign has already affected dozens of organizations, but the actual impact may be larger, as incident investigations are ongoing.
Technical Details: Exploitation Techniques
The threat actors combined several advanced exploitation methods:
- Server-Side Request Forgery (SSRF): This technique allowed the attackers to induce Oracle EBS servers to send HTTP requests to internal or external servers, bypassing normal network controls.
- Carriage-Return Line-Feed (CRLF) Injection: By injecting special characters into HTTP headers, attackers manipulated how the server processes web requests, facilitating further attack chains.
- Authentication Bypass: Flaws in the
/OA_HTML/SyncServletcomponent were exploited to bypass authentication checks. - XSL Template Injection: Attackers submitted malicious XML StyleSheet Language (XSL) templates via the Template Preview feature, embedding Java payloads to achieve remote code execution (RCE) and establish a reverse shell back to attacker-controlled infrastructure.
Extortion Tactics: Data Exfiltration and Ransom Demands
Once inside victim networks, the attackers exfiltrated sensitive business data. Affected organizations received extortion emails demanding payment to prevent the public release of stolen information. Credentials for compromised third-party email accounts used in the phishing campaign were often sourced from infostealer malware logs traded on underground forums.
Mitigation and Response
Oracle has released emergency patches addressing CVE-2025-61882 and related vulnerabilities. Security experts recommend organizations running Oracle EBS immediately apply available updates, review logs for unusual activity on the /OA_HTML/SyncServlet endpoint, and enhance user awareness around phishing attempts. Researchers also point out the importance of strong segmentation, multi-factor authentication, and regular security audits for ERP and enterprise software deployments.
Behavioral Pattern Analysis and Attribution
The current campaign is consistent with past Cl0p-linked incidents, which relied on mass exploitation of enterprise file transfer and financial applications via zero-days. However, some evidence suggests the ransomware component may be handled by a separate actor, as the campaign initially focuses on data exfiltration and extortion rather than immediate encryption. Notably, at the time of reporting, no victims had yet been listed on the Cl0p data leak site, a tactic observed in previous campaigns where publication is delayed for additional pressure during negotiations.