The recent data theft and extortion campaign targeting Oracle E-Business Suite (EBS) customers has been confirmed to be the work of the Cl0p ransomware group, which exploited a previously unknown zero-day vulnerability (CVE-2025-61882). Oracle has acknowledged the issue, confirming that the attackers leveraged this flaw for remote code execution (RCE) against unpatched EBS instances.

The campaign surfaced when a security firm reported that executives from multiple organizations using Oracle EBS received extortion emails claiming that sensitive data had been stolen from their systems. The messages urged victims to contact the attackers, who were later confirmed to be Cl0p, a group known for exploiting zero-days in MOVEit, Cleo, and Fortra file transfer systems.

According to researcher, Cl0p exfiltrated data from EBS customers in August 2025 and began sending extortion messages in late September. While Oracle initially attributed the incident to previously patched vulnerabilities, it later confirmed the existence of the critical zero-day affecting Oracle EBS versions 12.2.3–12.2.14. The flaw resides in the BI Publishing Integration component of Oracle Concurrent Processing and carries a CVSS score of 9.8, allowing unauthenticated RCE.

Oracle has since released security patches to help organizations detect breaches and mitigate exposure. However, reseachers warned that due to widespread exploitation, other threat actors are likely to adopt these vulnerabilities in upcoming campaigns.

Carmakal cautioned that even patched systems might have been compromised before updates were applied and advised all Oracle EBS users to investigate for prior intrusion. Meanwhile, groups such as Scattered Spider and ShinyHunters are suspected of potential involvement, as they recently posted what appear to be EBS exploit details on their new Telegram channel despite previously announcing their retirement.