The Clop ransomware gang has been actively exploiting a critical, previously unknown zero-day vulnerability in Oracle E-Business Suite (EBS) since at least early August to steal data, according to researchers at CrowdStrike.
The flaw, tracked as CVE-2025-61882, was recently patched by Oracle. It was discovered in the BI Publisher Integration component of Oracle EBS and allowed unauthenticated attackers to achieve remote code execution (RCE) on unpatched systems in low-complexity attacks that required no user interaction.
Security analysts found that the vulnerability is actually a chain of flaws that allows threat actors to gain RCE using a single HTTP request without needing to authenticate.
CrowdStrike confirmed on Monday that they first observed the Clop ransomware group exploiting this bug as a zero-day back on August 9, 2025, to steal sensitive documents. They suspect other threat groups may have also joined the attacks.
Mandiant and Google Threat Intelligence Group (GTIG) confirmed last week that Clop has been emailing executives at multiple companies as part of an ongoing extortion campaign. The group is demanding ransoms to prevent the sensitive data allegedly stolen from the Oracle E-Business Suite systems from being leaked online. Oracle has officially linked these extortion attempts to the CVE-2025-61882 flaw and has urged customers to prioritize patching the actively exploited vulnerability.
Clop has a history of abusing zero-day flaws for large-scale data theft, having previously targeted vulnerabilities in products like Cleo's secure file transfer software, Accellion FTA, GoAnywhere MFT, and MOVEit Transfer, the latter of which impacted over 2,770 organizations. The U.S. State Department has even offered a $10 million reward for information connecting Clop's attacks to a foreign government.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
