In early October, Google Threat Intelligence Group (GTIG) and Mandiant researchers began tracking a suspected Cl0p ransomware campaign aimed at extorting company executives. The attackers sent emails claiming to have stolen data from Oracle E-Business Suite (EBS). Cybersecurity firm Halcyon reported that the attackers likely used a combination of hacked user emails and a default password reset vulnerability within the EBS system to steal valid credentials. While an email used in the extortion notes linked to a Cl0p affiliate, Google stated it lacked the definitive proof to confirm the attackers’ claims. Mandiant’s CTO, Charles Carmakal, confirmed that hundreds of compromised accounts were used in this widespread extortion campaign, with at least one account showing ties to the financially motivated hacker group FIN11.
Oracle has since released an emergency patch to address the critical vulnerability, CVE-2025-61882, which carries a CVSS score of 9.8. This flaw was actively exploited by the Cl0p ransomware group in data theft attacks. The vulnerability affects Oracle E-Business Suite versions 12.2.3 through 12.2.14 and is easily exploitable via HTTP by unauthenticated remote attackers. The exploitation of this flaw allows attackers to take complete control of the Oracle Concurrent Processing component. Researchers from CrowdStrike have also attributed the exploitation of CVE-2025-61882 with moderate confidence to the Cl0p group, which is also known as Graceful Spider.
The initial exploitation activity began with a simple HTTP POST to /OA_HTML/SyncServlet to bypass authentication, sometimes abusing an admin EBS account. Attackers then targeted Oracle’s XML Publisher Template Manager, using /OA_HTML/RF.jsp and /OA_HTML/OA.jsp to upload a malicious XSLT template. When the template’s preview was executed, it ran commands, opening an outbound TLS connection to attacker infrastructure. This connection was then used to load web shells for command execution and to maintain persistence. In some instances, attackers used a two-stage process involving two files, FileUtils.java and Log4jConfigQpgsubFilter.java, to install a memory-resident web shell, allowing them to execute code without writing files to the disk.
The exploitation of CVE-2025-61882 was found to have started as early as August 9, with signs of an even earlier attempt on July 10, just before Oracle’s July patches were released. GTIG and Mandiant suggest this earlier activity may have been an initial exploit attempt. Google’s analysis revealed that attackers used a malicious template within vulnerable Oracle EBS databases to store a payload that was activated in the final stage of the attack chain. CrowdStrike has warned that the public disclosure of a proof-of-concept (POC) on October 3 and Oracle’s subsequent patch will almost certainly motivate other threat actors to develop weaponized versions and target exposed EBS instances on the internet.
While GTIG has not officially attributed the Oracle EBS attacks to a specific group, there are significant overlaps that suggest ties to the FIN11 hacking group and the Cl0p extortion brand. The campaign reused Cl0p contact emails and displayed technical similarities to the GOLDVEIN.JAVA and GOLDTOMB malware used by FIN11/UNC5936 during the Cleo MFT exploits in 2024. One of the compromised accounts was also previously used by FIN11, although the tools are not exclusive to that group, making definitive attribution difficult.
Reference:
