The notorious Clop ransomware gang has posted Oracle on its dark web leak site, claiming a significant breach of the tech giant’s internal systems.
This attack exploits a critical zero-day vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882.
Known as Graceful Spider, the group alleges it stole sensitive data from Oracle and dozens of its prominent customers.
The incident echoes the 2023 MOVEit supply chain attack, in which Clop compromised thousands through a file-transfer flaw.
Clop affiliates began targeting this flaw in August 2025, well before Oracle issued patches in October.
The breach highlights risks in enterprise resource planning (ERP) systems that handle vital business data, such as financial and HR records.
Victims now face extortion demands, with leaks threatened unless ransoms are paid.
The Zero-Day Exploit: CVE-2025-61882 Technical Breakdown
CVE-2025-61882 delivers unauthenticated remote code execution (RCE) in Oracle E-Business Suite versions 12.2.3 through 12.2.14.
Attackers first target the OA_HTML/SyncServlet endpoint to bypass authentication entirely no login credentials required. This “pre-auth” step opens the door.
Next, they inject malicious XSLT templates via the OA_HTML/RF.jsp page. XSLT, used for data transformation in EBS, lets foes craft payloads that run arbitrary OS commands on the server.
For example, a crafted request might execute shell commands, deploy ransomware payloads, or exfiltrate databases.
| Detail | Specification |
|---|---|
| CVE ID | CVE-2025-61882 |
| Affected Products | Oracle EBS 12.2.3–12.2.14 |
| Type | Unauthenticated RCE |
| CVSS Score | 9.8 (Critical) |
| Exploit Vector | SyncServlet auth bypass + XSLT injection |
| Patch Status | Available October 2025 |
This chain grants complete server control, allowing data theft from ERP modules.
Security firms note that Clop used it for initial access, then laterally moved into customer environments linked via Oracle services.
Extortion Campaign Targets High-Profile Victims
Clop’s leak site shows “PAGE CREATED” for ORACLE.COM, listed with MAZDA.COM, HUMANA.COM, and even the Washington Post. Oracle itself, as a victim, points to internal EBS deployments hit by the flaw.
Extortion emails from addresses like support@pubstorm[.]com demand payment to halt data dumps, including financial records and personal info.
Experts urge immediate patching and endpoint detection reviews. Scan for indicators like unusual SyncServlet traffic or XSLT anomalies.
Organizations using EBS should isolate internet-facing instances and audit access logs from August onward.
This attack underscores ERP vulnerabilities in supply chains. Clop’s tactics evolve, blending zero-days with extortion.
Firms must prioritize threat hunting in legacy enterprise apps to avoid similar fallout.
