Cl0p-Linked Hackers Exploit Oracle E-Business Suite Zero-Day, Target Dozens of Organizations
A major data extortion campaign has emerged targeting Oracle E-Business Suite (EBS) installations, with dozens of organizations affected. The attackers utilize a zero-day vulnerability (CVE-2025-61882), employing advanced exploitation chains to gain remote access, exfiltrate data, and initiate widespread ransom demands. This incident highlights the increasing sophistication of ransomware operators and the critical need for immediate patching and incident response.
Technical Breakdown of the Oracle EBS Exploitation Chain
The attackers leveraged various vulnerabilities in Oracle’s EBS, primarily a newly disclosed zero-day flaw, CVE-2025-61882, rated 9.8 on the CVSS scale. The campaign began in earnest in late September 2025 and involved chaining multiple weaknesses: Server-Side Request Forgery (SSRF), CRLF injection, authentication bypass, and XSL template injection, all to achieve remote code execution (RCE) on targeted systems.
Specifically, one technique involved exploiting the /OA_HTML/SyncServlet endpoint to inject XSL payloads that executed arbitrary Java code. The attack could then establish reverse shells and persistent access, enabling threat actors to move laterally, exfiltrate sensitive data—including financial and personal information—and ultimately extort victims.
Attribution and Campaign Structure
The activity was tentatively linked to the Cl0p ransomware group, known for exploiting critical zero-days across multiple sectors. Notably, some indicators suggest that the core ransomware operators may have outsourced certain functions or are working alongside other threat actors, with extortion emails coming from hundreds of compromised third-party accounts. These credentials were acquired via infostealer logs distributed on underground forums.
The attackers issued ransom demands, threatening data leakage unless paid. Unlike previous campaigns, initial extortion messages did not list victims on public leak sites, suggesting the group is delaying disclosures or working through negotiations in private.
Defensive Recommendations
Oracle has released patches, and all administrators of EBS instances should update immediately. Incident response teams must audit access to the SyncServlet component, monitor for unexpected XSL payload executions, inspect for unauthorized outbound connections (reverse shell activity), and review recent authentication logs for irregularities. Large-scale, multi-vector zero-day campaigns such as this are becoming common and require increased vigilance.
Redis Issues Emergency Patch for “RediShell” Remote Code Execution Vulnerability
Redis has released urgent patches to fix CVE-2025-49844, a critical vulnerability dubbed “RediShell.” This exploit allows attackers to achieve full remote code execution on affected Redis instances, enabling system takeover, data theft, and lateral movement across enterprise networks. Unpatched systems are at very high risk, and immediate upgrade is strongly advised.
RediShell Exploit Mechanics
The vulnerability centers on how Redis processes certain commands under specific configurations, enabling an attacker to inject shell commands or code. When exposed to internet-facing environments without stringent access controls, Redis can be manipulated to execute arbitrary shell code via crafted inputs. The flaw bypasses common authentication and leverages Redis’s design for low latency and in-memory operation, making exploitation rapid and difficult to detect.
Impact and Exploitation Footprint
Security researchers report that active exploitation has already begun, with attackers seeking out unpatched servers. System compromise can lead directly to root-level access, unauthorized database queries, deployment of ransomware, and collection of credentials for further network compromise. The criticality stems from Redis’s pervasive use in cloud and web infrastructure, including caching, session storage, and real-time databases.
Mitigation and Long-Term Remediation
Users are urged to deploy official Redis patches immediately. As a stopgap, restricting external network access, limiting commands, enabling strong authentication, and using SELinux or AppArmor policies is recommended. Review logs for sudden configuration changes, unknown IP logins, or anomalous shell invocations. Enterprises must also assess their Redis deployment architecture to avoid future exposure of uncontrolled endpoints.
Compromise of SonicWall Cloud Backup Service Exposes All Firewall Configuration Files
A recent investigation confirmed that attackers were able to brute-force their way into the SonicWall cloud backup service, accessing configuration backup files for all customer firewalls utilizing the service. Configuration data can include internal network layouts, VPN keys, and security policies, raising serious concerns about subsequent attacks targeting exposed infrastructure.
Technical Details of the Breach
The attackers leveraged brute-force techniques, likely exploiting weak authentication and insufficient rate-limiting controls, to gain unauthorized entry into SonicWall’s cloud backup infrastructure. From there, they accessed configuration files encompassing all customers who used the service, representing a significant breach of confidentiality and integrity.
The files likely contained sensitive details such as IP whitelists/blacklists, firewall rule sets, administrative credentials, and Certificate Authorities for VPN termination. Exposure of this data enables attackers to map internal networks, bypass perimeter security controls, and potentially craft highly targeted attacks.
Assessment and Enterprise Response
Mandiant supported the post-incident forensics, confirming the scale and impact. Enterprises using SonicWall cloud backup must immediately assume their configuration files are compromised and rotate all associated credentials, audit policy rules for malicious changes, and review authentication logs for suspicious access. Segmentation of backup storage and proactive monitoring are recommended to reduce future risk.
Gladinet CentreStack and Triofox Vulnerability Exploited in Active Campaign, No Patch Available
Attackers have begun exploiting CVE-2025-11371, an unauthenticated Local File Inclusion (LFI) vulnerability in Gladinet CentreStack and Triofox file-sharing platforms. The flaw enables attackers to retrieve sensitive files and possibly execute remote code without authentication. As of this writing, no patched fix has been released, leaving organizations exposed to ongoing targeted attacks.
Mechanics of the LFI Exploit
CVE-2025-11371 results from improper validation and sanitization in key API endpoints, allowing external actors to specify arbitrary file locations within the server’s storage context. This can be leveraged to gather configuration, password, and token files, or stage further code execution by escalating to remote command injection.
Observed Attacks and Guidance
Researchers observed widespread scanning and exploitation in the wild, targeting unpatched instances. Enterprise impact includes disclosure of sensitive corporate files, leaked authentication tokens, and possible full server compromise. With no patch available, administrators are advised to:
- Block public access to affected endpoints.
- Apply web application firewalls with custom rules to detect/suppress suspicious file requests.
- Increase monitoring for anomalous API requests and unexpected file accesses.
- Plan rapid response for emergent patch deployment once available.
Cybersecurity Information Sharing Act Expires, Threatens US Cyber Threat Intelligence Collaboration
The US Cybersecurity Information Sharing Act (CISA), a cornerstone in public-private cyber threat sharing, expired on October 1, 2025, due to a congressional impasse. Legal liability protections for voluntary threat data exchange have lapsed, threatening to erode cross-sector threat intelligence by up to 80%. Cyber defenders now face increased risk of operating with fragmented or incomplete visibility into current threats.
Implications of CISA Expiry
CISA provided legal shield and antitrust exemptions allowing private entities to share cyber threat intelligence with federal agencies and peers without fear of litigation. Its expiration means organizations may refrain from sharing out of concern for exposure to legal action or regulatory investigation, weakening the “collective defense” model that underpins national and supply chain security.
The Department of Homeland Security has committed to maintaining platform continuity. However, without legislative coverage, attorneys warn of a substantial collapse in information flow, especially for new zero-days, infrastructure targeting, and global attack campaigns like those described above.
Recommended Actions Ahead
Cybersecurity, legal, and policy teams should assess current data sharing agreements and review alternative, risk-managed approaches for ongoing intelligence collaboration. Monitoring legislative developments for a potential renewal or reform is critical. Meanwhile, isolated threat intelligence is likely to challenge visibility into evolving attack vectors for public and private sector defenders.