Cl0p Ransomware Exploits Oracle EBS Zero-Day Vulnerabilities in Widespread Attacks

Cl0p Ransomware Exploits Oracle EBS Zero-Day Vulnerabilities in Widespread Attacks

In a significant escalation of cyber threats, the Cl0p ransomware group has launched a series of attacks exploiting zero-day vulnerabilities in Oracle's E-Business Suite (EBS). These vulnerabilities, identified as CVE-2025-61882 and CVE-2025-61884, have been actively exploited, leading to the compromise of over 100 organizations globally. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed the active exploitation of these vulnerabilities, adding CVE-2025-61884 to its Known Exploited Vulnerabilities catalog. Source

Cl0p's Strategic Shift to Supply Chain Attacks

Cl0p, also known as CLOP, has been a prominent player in the ransomware landscape, known for its disruptive operations. In 2025, the group intensified its focus on supply chain attacks, targeting critical software used by numerous organizations. By exploiting vulnerabilities in widely used platforms like Oracle EBS, Cl0p has been able to infiltrate multiple organizations through a single point of failure, amplifying the impact of their attacks. Source

Details of the Oracle EBS Vulnerabilities

The vulnerabilities CVE-2025-61882 and CVE-2025-61884 in Oracle EBS allow unauthenticated attackers to gain access to core components of the suite. This unauthorized access enables rapid data theft without the need to deploy traditional ransomware payloads. The exploitation of these vulnerabilities has led to significant data breaches, with sensitive information being exfiltrated and, in some cases, publicly disclosed. Source

Impact on Affected Organizations

The exploitation of Oracle EBS vulnerabilities by Cl0p has had far-reaching consequences. Over 100 organizations have been listed on Cl0p's leak site, indicating successful breaches. The sectors affected are diverse, including finance, healthcare, manufacturing, and government agencies. The data compromised in these attacks ranges from personal customer information to proprietary business data, posing severe risks to both the organizations and their clients. Source

Response from Cybersecurity Authorities

In response to these attacks, CISA has added CVE-2025-61884 to its Known Exploited Vulnerabilities catalog, urging organizations to apply patches and implement mitigations promptly. Cybersecurity experts recommend that organizations using Oracle EBS conduct thorough security assessments, apply all available patches, and monitor their systems for signs of compromise. Source

Cl0p's Evolving Tactics

Cl0p's recent activities highlight a strategic evolution in ransomware operations. By focusing on supply chain vulnerabilities, the group maximizes its reach and impact. This approach underscores the importance of securing not just individual systems but also the broader software supply chain. Organizations are advised to adopt a comprehensive cybersecurity strategy that includes regular vulnerability assessments, employee training, and incident response planning. Source

Conclusion

The Cl0p ransomware group's exploitation of Oracle EBS zero-day vulnerabilities serves as a stark reminder of the evolving nature of cyber threats. Organizations must remain vigilant, ensuring that their systems are up-to-date and that they have robust security measures in place to defend against such sophisticated attacks. Collaboration between cybersecurity authorities and the private sector is crucial in identifying and mitigating these threats promptly. Source