Clop Exploits Oracle E-Business Suite Vulnerability for Data Extortion Attacks
Clop, a Russian-speaking cybercriminal group, has launched a widespread campaign exploiting a critical vulnerability in Oracle E-Business Suite (EBS), targeting hundreds of organizations globally. Allianz UK confirmed that it was among the victims, with the attackers compromising data belonging to 80 current and 670 former customers, though no impact was reported for its subsidiary Liverpool Victoria (LV). The attack vector was traced to Oracle EBS used in Allianz UK's personal lines business, and the company reported the incident to the Information Commissioner's Office. Other notable victims include the Washington Post and Envoy Air, with researchers estimating that dozens of organizations may have been affected since July, exploiting CVE-2025-61882.
Clop's campaign is characterized by data exfiltration and extortion rather than traditional ransomware, with the group threatening to leak stolen data unless contacted by victims within a set deadline. Logitech was also named as a target, though the company has not confirmed a breach. The campaign's scale is significant, with at least 835 documented victims attributed to Clop since 2019, and the group has previously exploited vulnerabilities in other file-transfer platforms such as MOVEit and Fortra GoAnywhere. The Oracle EBS vulnerability was first detected in July, with Oracle releasing an initial patch in October that proved insufficient, necessitating a second critical update and leaving many organizations exposed for several days.
Timeline
Nov 14, 2025
Logitech confirms data breach linked to Clop extortion campaign
Logitech confirmed a data breach attributed to exploitation of a zero-day in a third-party platform reportedly involving Oracle E-Business Suite. The company said limited employee, consumer, customer, and supplier data was likely exfiltrated, but not highly sensitive data such as national ID or credit card numbers.
Nov 13, 2025
Washington Post breach from Clop Oracle campaign becomes public
Reporting on November 13-14 indicated that The Washington Post was among the organizations impacted in Clop's Oracle EBS campaign, with nearly 10,000 people affected. The disclosure added another major victim to the growing list tied to CVE-2025-61882.
Nov 11, 2025
GlobalLogic discloses breach affecting nearly 10,500 workers
GlobalLogic disclosed that a breach tied to the Oracle EBS zero-day exposed sensitive HR data for nearly 10,500 current and former employees. The company acknowledged the theft as part of the wider Clop campaign targeting Oracle customers.
Nov 10, 2025
Allianz UK confirms Oracle EBS breach affecting 750 customers
Allianz UK confirmed it was impacted by Clop's exploitation of Oracle E-Business Suite after claims involving Liverpool Victoria. The insurer said only Allianz UK customer data was affected, impacting 80 current and 670 former customers, and reported the matter to the UK ICO.
Oct 4, 2025
Oracle releases patch for CVE-2025-61882
Oracle released a security patch for the Oracle E-Business Suite zero-day CVE-2025-61882 after months of exploitation. Affected organizations later reported applying the fix as part of their response.
Oct 1, 2025
GlobalLogic detects the Oracle EBS intrusion and starts response
GlobalLogic detected the breach in October 2025 and began notifying authorities, engaging third-party investigators, and applying Oracle's patches. The company later linked the incident to Clop's wider Oracle customer attack spree.
Jul 10, 2025
GlobalLogic employee data is stolen in Oracle EBS breach window
GlobalLogic said attackers accessed and stole sensitive HR data belonging to more than 10,000 current and former employees during a compromise window running from July 10 to August 20, 2025. Exposed data included personal identifiers, contact details, and financial information.
Jul 1, 2025
Clop begins exploiting Oracle EBS zero-day against multiple organizations
A broader Clop extortion campaign targeting Oracle E-Business Suite began as early as July 2025, according to reporting and Google researchers. The activity was tied to CVE-2025-61882 and is believed to have affected dozens of organizations.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Organizations
Affected Products
Sources
5 more from sources like register security, cyberscoop, bleeping computer, scworld and hackread
Related Stories
Oracle E-Business Suite Zero-Day Exploited by Clop Ransomware Group
Clop ransomware group exploited a zero-day vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882, to compromise major organizations including Schneider Electric, Emerson, Harvard University, and others. The vulnerability allowed unauthenticated remote access to Oracle Concurrent Processing, enabling attackers to exfiltrate large volumes of sensitive data such as ERP records, financial documents, procurement workflows, and engineering files. Clop reportedly maintained access for months, exfiltrating 2.7 terabytes from Emerson and 116 gigabytes from Schneider Electric, with the breach going undetected by traditional monitoring tools. Security experts warn that the impact extends beyond data theft, as attackers may leverage stolen information for extortion, supply chain exploitation, and credential harvesting. Oracle has released patches for CVE-2025-61882 and strongly urges all EBS customers to apply updates immediately. The campaign highlights the risks posed by trusted vendor dependencies and the potential for widespread disruption across critical infrastructure and operational technology supply chains. Attribution remains under investigation, with both Clop and the financially motivated FIN11 group suspected of involvement.
1 months ago
Clop Ransomware Exploits Oracle E-Business Suite Zero-Day to Breach Washington Post
The Clop ransomware group exploited a zero-day vulnerability in Oracle E-Business Suite to gain unauthorized access to the Washington Post's internal systems, resulting in the theft of sensitive personal and financial data belonging to nearly 10,000 current and former employees and contractors. The attackers accessed the environment between July 10 and August 22, 2025, and subsequently attempted to extort the company in late September after contacting the Post to claim responsibility for the breach. The compromised data included names, bank account numbers, routing numbers, and Social Security numbers, and the breach was confirmed after an internal investigation prompted by the extortion attempt. The Washington Post is one of several major organizations targeted in this campaign, with other confirmed victims including Envoy Air and GlobalLogic. Oracle has since disclosed the vulnerability, now tracked as CVE-2025-61882 and CVE-2025-61884, and released patches to address the issue. The incident highlights the risks posed by zero-day vulnerabilities in widely used enterprise software and the increasing trend of ransomware groups leveraging such flaws for data theft and extortion campaigns against high-profile targets.
1 months ago
Clop Ransomware Exploitation of Oracle E-Business Suite Zero-Day Vulnerability
Oracle disclosed a critical zero-day vulnerability, CVE-2025-61882, in its E-Business Suite that was actively exploited by the Clop ransomware group to conduct a widespread data theft and extortion campaign. The vulnerability, which affects Oracle E-Business Suite, was addressed in a security advisory released on a Saturday, with Oracle urging customers to apply the patch immediately to mitigate the risk of compromise. Federal cyber authorities and threat intelligence researchers expressed heightened concern following Oracle’s announcement, as the flaw had been exploited for at least eight weeks before some victims received extortion demands. The Clop group leveraged this zero-day, along with other vulnerabilities previously addressed in Oracle’s July security update, to gain unauthorized access to enterprise resource planning (ERP) systems. Once inside, the attackers exfiltrated sensitive data and subsequently targeted executives with spear-phishing emails containing ransom demands, threatening to leak or misuse the stolen information. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61882 to its known exploited vulnerabilities catalog, confirming its use in active ransomware campaigns. Oracle’s Chief Security Officer, Rob Duhart, updated customers via a blog post, providing indicators of compromise and emphasizing the urgency of patching. The FBI’s Cyber Division described the situation as an emergency, highlighting the critical role Oracle E-Business Suite plays in both public and private sector organizations and the high incentive for attackers to weaponize the vulnerability quickly. Security briefings noted that organizations running Oracle E-Business Suite were specifically targeted, with attackers using sophisticated spear-phishing tactics to maximize the impact of their extortion efforts. The campaign’s discovery has amplified concerns about the security of widely used ERP platforms and the increasing sophistication of ransomware groups like Clop. The incident underscores the importance of timely patch management and the need for organizations to monitor for indicators of compromise associated with this vulnerability. The attack has prompted a rapid response from both Oracle and federal agencies, with advisories and threat intelligence updates being disseminated to help organizations defend against ongoing exploitation. The event has also reignited discussions about the risks posed by zero-day vulnerabilities in critical business applications and the necessity for coordinated industry response. As the situation develops, organizations are advised to remain vigilant, apply all relevant security updates, and review their incident response plans to address potential data theft and extortion scenarios. The Clop group’s exploitation of this zero-day highlights the evolving tactics of ransomware actors and the persistent threat they pose to enterprise environments.
1 months ago