Select your country

Belgium

China

Denmark

France

Germany

Global

Maghreb & West Africa

Netherlands

Norway

South Africa

Sweden

Switzerland

United Kingdom

Not finding what you are looking for, select your country from our regional selector:

Search

  1. Orange Cyberdefense
  2. Insights
  3. Blog
  4. CERT-News
  5. Google details Clop extortion campaign leveraging 0-day in Oracle E-Business Suite

Google details Clop extortion campaign leveraging 0-day in Oracle E-Business Suite

CERT

Share

Update 11, 10-10-2025 - Google details Clop extortion campaign leveraging 0-day in Oracle E-Business Suite

 

Executive Summary
Google Threat Intelligence Group (GTIG) and Mandiant have published an in-depth analysis of the recent extortion campaign orchestrated by Cl0p, exploiting the critical vulnerability CVE-2025-61882 in Oracle E-Business Suite (EBS).
Their investigation reveals that initial intrusions date back to August 9, 2025, with suspicious activity detected as early as July 10.

The attackers leveraged multiple vulnerabilities in Oracle EBS to gain remote access, maintain persistence, and exfiltrate sensitive data.
The threat level remains at 4 out of 5.

What It Means
GTIG and Mandiant confirm that Cl0p exploited a 0-day vulnerability in Oracle E-Business Suite several weeks before Oracle’s patch release. The campaign peaked on September 29, 2025, when the attackers conducted a large-scale email extortion operation targeting executives at multiple organizations running EBS.

The messages, sent from compromised third-party accounts sourced from infostealer logs, claimed that victims’ sensitive data had been stolen. They also included contact details linked to Cl0p’s Data Leak Site (DLS), strengthening attribution.

Mandiant identified distinct exploitation chains targeting several Oracle EBS components, including UiServlet and SyncServlet. While GTIG found no evidence of UiServlet exploitation, the SyncServlet module, identified in August, is now considered the most probable attack vector for CVE-2025-61882. Attackers likely used it to inject malicious XSL files into the database via the XDO Template Manager, triggering remote code execution.

The payloads embedded in these XSL templates include the GOLDVEIN.JAVA downloader (masquerading as a fake TLS session) and the SAGE malware family, composed of:

  • SAGEGIFT – persistence
  • SAGELEAF – in-memory loading
  • SAGEWAVE – C2 communications

These closely resemble the GOLDVEIN and GOLDTOMB malware families deployed during Cl0p’s Cleo software compromise in late 2024, further solidifying attribution.

Researchers also observed reconnaissance activity conducted from the EBS account “applmgr”, followed by reverse connections to 200[.]107[.]207[.]26, an IOC previously shared by Oracle.
While no datasets have yet been published on Cl0p’s DLS, this delay aligns with the group’s typical operating pattern—often waiting several weeks between data theft and publication.

This campaign reinforces Cl0p’s ongoing focus on rapid exploitation of 0-days in critical enterprise platforms, sustaining its position as a leading actor in large-scale data extortion operations.

The threat level remains at 4 out of 5.

What You Should Do

  • Orange Cyberdefense ThreatMap Standard or Premium clients have access to relevant Indicators of Compromise (IoCs), automatically integrated into Managed Threat Detection (MTD) services.
  • Clients using MTD with Threat Hunting can request prioritization of these IoCs through their MTD customer portal or by contacting their Orange Cyberdefense representative.
  • ThreatMap Core users can automatically feed network-related IoCs into their own security controls. To learn more about supported firewall, proxy, and vendor integrations, please reach out to your Orange Cyberdefense Trusted Solutions representative.

 

Update 10, 10-06-2025 - 0-day vulnerability exploited by Cl0p patched by Oracle (CVE-2025-61882)

Oracle released an emergency update for an unauthenticated remote code execution vulnerability in its E-Business Suite (EBS) tracked as CVE-2025-61882. This CVE has a CVSS v3.1 score of 9.8 and was most likely exploited anywhere from August 2025 till now. The exploit development and the discovery of the 0-day have been attributed to the cyber extortion group known as Cl0p. 

Cl0p is a notorious cyber extortion actor known for their exploitation of zero-day vulnerabilities that resulted in data theft in services such as: 

  • Accellion FTA platform (2020) 

  • SolarWinds Serv-U FTP (2021) 

  • GoAnywhere MFT platform (2023) 

  • MOVEit Transfer (2023) 

  • Cleo file transfer (2024) 

The Scattered Lapsus$ Hunters actor was one of the first actors to credit Cl0p with the 0-day by explicitly mentioning exploit archives they claim was created by Cl0p.  

Mandiant’s CTO, Charles Carmakal, has publicly commented that multiple vulnerabilities in Oracle products were patch in July 2025 that were exploited by attackers, including the recently fixed vulnerability CVE-2025-61882. This suggests that a wider range of exploit activity impacting Oracle products have taken place. 

System administrators must therefore act as quickly as possible to patch exposed and vulnerable Oracle products due to the ease of exploitation and the freely available exploits. 

World Watch clients can follow developments here and well as review other related news and vulnerability information here

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.

CSIRT