AI Autopsy: Cl0p Is Back with a Zero-Day Exploit Targeting Oracle EBS

CL0p is back on the scene. Phil Muncaster does a deep-dive analysis of the latest campaign targeting Oracle E-Business Suite

Not all cybercrime groups are created equal. At one end might sit low-level digital extortionists who use DDoS-for-hire services to try to force victims to pay. At the other end are outfits like FIN11 and CL0p: well-resourced, highly technical, and with a string of successful campaigns under their belts. The bad news for CISOs is that the latter appear to be back on the scene, in a new campaign targeting Oracle E-Business Suite (EBS) customers with zero-day attacks.

At the time of writing, victims from this data extortion campaign had yet to appear en masse on the Cl0p leak site. But with thousands of EBS instances exposed to the internet, the repercussions could be significant.

What happened?

The story begins back on September 29, when Google Threat Intelligence Group (GTIG) and Mandiant began tracking an extortion campaign linked to the infamous Cl0p brand. This is the group responsible for some of the most significant data theft campaigns of recent years. Its MO: zero-day exploitation of popular file transfer software such as Accellion FTA, GoAnywhere MFT, MOVEit MFT, and Cleo LexiCom. Data theft and extortion follow, often with devastating effect. The MOVEit campaign is believed to have affected over 2,000 organisations and nearly 100 million downstream victims.

“It’s possible that some organisations have taken down or protected their instances in the days since news of exploitation broke” Emily Austin

True to form, at the end of September, GTIG observed “hundreds, if not thousands”, of hijacked email accounts sending out extortion emails to company executives. These claimed that Cl0p had “recently breached” the recipients’ Oracle EBS application and “copied a lot of documents”. The only way to avoid the documents being sold to criminal actors and shared publicly is “to discuss conditions and pay [the] claimed sum”, the email continued.

Oracle initially claimed (on October 2) that the threat actors may have exploited CVEs patched in July. However, it was soon forced on the defensive, issuing an emergency patch for a new zero-day (CVE-2025-61882) two days later. GTIG claims the threat actor likely exploited the vulnerability as early as August 9, with suspicious activity dating back to July 10.

“In some cases, the threat actor successfully exfiltrated a significant amount of data from impacted organisations,” it warns.

Digging deeper

GTIG says Mandiant has observed “multiple different exploit chains” involving Oracle EBS and has not been able to determine which ones correspond to the zero-day activity. In July, exploits targeted  /OA_HTML/configurator/UiServlet, it says. Then, in August, Mandiant observed exploitation of a vulnerability in the SyncServlet component of Oracle EBS, with the intent to achieve unauthenticated remote code execution (RCE). This originated from multiple threat actor servers, including 200.107.207.26, which had been linked to suspicious activity before the July patches.

The XSL payloads observed in this attack contained a Java variant of the Goldvein downloader, a Sagegift loader written for Oracle WebLogic servers, and a Sageleaf in-memory dropper designed to install the Sagewave malicious Java servlet filter. Following successful exploitation, Mandiant says it observed reconnaissance efforts from an EBS account “applmgr”.

The zero-day vulnerability itself enables an unauthenticated attacker to send specially crafted HTTP requests to an affected component, resulting in complete system compromise with no user interaction required. Both the UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) have urged organisations to patch promptly. The latter claims it has featured in “known ransomware campaigns”, although it’s unclear if this means the Cl0p data theft campaign or others.

Lessons learned

GTIG tells Assured Intelligence that it is aware of dozens of victims, but that there is likely to be more than 100. The only ones confirmed at the time of writing were Harvard University and Envoy Air. Reports suggest that Cl0p has published over a terabyte of data stolen from the Ivy League institution. However, the size of the haul has yet to be verified, with the university claiming the incident affects “a limited number of parties associated with a small administrative unit”. Meanwhile, the American Airlines subsidiary admitted that “a limited amount of business information and commercial contact details may have been compromised” after Cl0p claimed to have posted 26GB of data.

“Cl0p’s repeated success highlights a wider industry gap: too many organisations still rely on unvalidated defensive controls” Andrew Obadiaru

There were 2777 EBS instances online as of October 23, according to Censys. The US, China and India had the highest number, with manufacturing (14%), government (12%), holding companies (10%) and energy/utilities (6%) potentially most exposed.

“It’s possible that some organisations have taken down or protected their instances in the days since news of exploitation broke nearly a week and a half ago,” Censys principal security researcher, Emily Austin, tells Assured Intelligence. “We don’t have visibility into attack traffic, but based on Cl0p’s previous campaigns, if an EBS instance running versions 12.2.3 to 12.2.14 was exposed to the internet as of early August 2025, it’s reasonable to assume it’s been exploited.”

So what can CISOs do to build resilience against similar campaigns in the future? Unfortunately, zero-day exploits, while rare, are difficult to defend against, according to Genevieve Stark, head of cybercrime and information operations intelligence analysis at GTIG. “These threat actors likely perceive that zero-day exploits may enable them to quickly obtain access to a large number of organisations’ networks, including organisations with strong security postures,” she tells Assured Intelligence.

Her colleague Zander Work, who’s a senior security engineer at GTIG, says the best that organisations can do is “continue to monitor and audit their external-facing attack surface, and prioritise patching and hardening of those systems, especially those that store/process sensitive data.”

Censys’ Austin adds that good security hygiene can also go a long way to insulating organisations from serious threats. “Ideally, enterprise back-office software login interfaces shouldn’t be exposed directly to the internet, but instead protected behind a VPN or other solution,” she advises.

For Cobalt CISO, Andrew Obadiaru, the sheer complexity and interconnectedness of the enterprise software ecosystem make it impossible to prevent every intrusion.

“Cl0p’s repeated success highlights a wider industry gap: too many organisations still rely on unvalidated defensive controls instead of proactive, intelligence-informed testing,” he tells Assured Intelligence. “By combining threat intelligence, automated attack simulations, and human-led pen testing conducted by security experts, enterprises can reduce dwell time, close exposure windows, and limit the blast radius of inevitable zero-day exploits.”

Those pen tests, designed to simulate real-world adversaries, are critical to “expose weaknesses that traditional patch management or compliance checks might miss,” Obadiaru adds.

For CISOs who escaped the Cl0p raid on corporate data, there’s no time to celebrate. Proactive resilience building is now essential, as zero-day threats imperil popular SaaS tools such as Oracle EBS. When the next one comes around, those capable of rapid detection, containment and recovery stand the best chance of weathering the storm.