Mazda recently confirmed that it was among the organizations targeted in the widespread hacking campaign that has been exploiting vulnerabilities within Oracle’s E-Business Suite (EBS). A representative from Mazda Motor Europe clarified that the company’s internal monitoring detected “traces of an attack,” yet its existing “defensive measures were effective,” successfully preventing any disruption. Specifically, the carmaker reported to SecurityWeek that the incident did not have any impact on system operations or vehicle production. Furthermore, Mazda stated definitively that it has “no data leakage has been confirmed” following the attempt.
In response to the campaign, the carmaker was proactive, noting that it had promptly applied the necessary EBS patches that were provided by Oracle in October. Oracle’s initial statements about the campaign suggested that threat actors were exploiting a known vulnerability that had been patched back in July. However, the software giant later released patches for two additional, potentially involved flaws, tracked as CVE-2025-61884 and CVE-2025-618842. This subsequent patching suggested that previously unknown, or zero-day, vulnerabilities may have been implicated in the sophisticated wave of attacks against its customers.
The Cl0p ransomware group has taken credit for the entire Oracle EBS campaign and has specifically named both Mazda and Mazda USA on its dedicated leak website. Despite this claim and the public listing, the group has not yet published any data that it alleges was stolen from the carmaker’s systems. The leak site’s current message indicates that the company is being given a brief period of “some time to respond” to the hackers’ demands. However, given the detailed assessment from Mazda that the attack was successfully blocked and resulted in no operational or data impact, it is widely considered unlikely that the company will proceed with paying any ransom.
While organizations are generally listed on the Cl0p website for a genuine reason—meaning an attack did occur—it is common practice for threat actors to exaggerate the actual scope and severity of a breach. This exaggeration serves as a primary tactic to increase the immense pressure on the victim company to comply with a ransom payment. The Cl0p website currently names a significant number of alleged victims from the Oracle EBS campaign, which now totals more than 100 entities, including dozens of major organizations across various sectors. The hackers have, in some instances, made public hundreds of gigabytes or even terabytes of files supposedly exfiltrated from other victims’ systems.
The list of confirmed companies that were successfully impacted continues to grow, with the latest confirmation coming from Cox Enterprises, which disclosed that the personal information of nearly 9,500 individuals was compromised in their incident. Other prominent entities that have publicly confirmed being hit include Logitech, The Washington Post, GlobalLogic, Harvard, and Envoy Air. A separate group of major organizations, including Schneider Electric, Emerson, Michelin, Broadcom, Bechtel, Canon, and Entrust, have also been named on the Cl0p site but have not yet issued public statements addressing the cybercriminals’ serious claims.
Reference:
