URGENT ALERT: ORACLE EBS ZERO-DAY VULNERABILITY EXPLOITED BY CLOP RANSOMWARE

• 24/11/2025

A critical vulnerability in the Oracle E-Business Suite (EBS) is being exploited by the notorious Clop ransomware group, targeting large enterprises and organizations worldwide. The vulnerability, CVE-2025-61882, allows attackers to gain unauthorized access and control over core ERP functions, including procurement, logistics, and finance.

Clop Ransomware Campaign Targets Oracle EBS

The Clop campaign began in June 2025, when the group discovered and exploited an unpatched zero-day vulnerability in Oracle EBS. Oracle only released a patch in October 2025, but the exploit code had already been publicly leaked, putting enterprises using the Oracle ERP platform at risk.

Clop’s Command-and-Control (C2) Infrastructure

Clop operates over 90 C2 servers across multiple countries, including Germany, Brazil, Panama, and Hong Kong. These servers use familiar IP ranges and hosting providers, demonstrating a hybrid network combining old and new infrastructure to evade detection.

Details of CVE-2025-61882

This vulnerability allows attackers to send specially crafted requests to the Oracle EBS system, injecting malicious code into XSLT processing to execute remote commands without authentication. Once successfully exploited, Clop can:

• Upload malicious files to the server

• Extract sensitive data such as customer records, contracts, and financial information

• Send ransom emails threatening to leak data if demands are not met

Risks of Compromised Oracle EBS

Compromise of Oracle EBS can result in:

• Leakage of financial, contractual, HR, or customer data

• Supply chain disruption, halted production, or service outages

• Severe reputational damage to the organization

• Significant financial losses for recovery and remediation

Recommended Protection Measures

Security experts recommend organizations to:

• Immediately apply the Oracle EBS patch (CVE-2025-61882)

• Restrict Internet access to ERP servers, allowing internal connections only

• Monitor suspicious IP addresses listed in published IOCs

• Monitor unusual activity in ERP systems and internal networks

• Establish incident response procedures and perform regular data backups

Clop Ransomware: Sophisticated and Dangerous

The return of Clop demonstrates that ransomware is becoming increasingly sophisticated and organized, exploiting zero-day vulnerabilities to infiltrate critical enterprise systems. Delaying patch updates essentially leaves the door open for attackers.

(Information referenced from WhiteHat)