Clop Ransomware Exploits Oracle E-Business Suite Zero-Day to Breach Washington Post
The Clop ransomware group exploited a zero-day vulnerability in Oracle E-Business Suite to gain unauthorized access to the Washington Post's internal systems, resulting in the theft of sensitive personal and financial data belonging to nearly 10,000 current and former employees and contractors. The attackers accessed the environment between July 10 and August 22, 2025, and subsequently attempted to extort the company in late September after contacting the Post to claim responsibility for the breach. The compromised data included names, bank account numbers, routing numbers, and Social Security numbers, and the breach was confirmed after an internal investigation prompted by the extortion attempt.
The Washington Post is one of several major organizations targeted in this campaign, with other confirmed victims including Envoy Air and GlobalLogic. Oracle has since disclosed the vulnerability, now tracked as CVE-2025-61882 and CVE-2025-61884, and released patches to address the issue. The incident highlights the risks posed by zero-day vulnerabilities in widely used enterprise software and the increasing trend of ransomware groups leveraging such flaws for data theft and extortion campaigns against high-profile targets.
Timeline
Nov 13, 2025
Washington Post confirms breach affecting nearly 10,000 people
The Washington Post publicly confirmed that data on nearly 10,000 employees, former employees, and contractors was stolen from its Oracle environment. The organization said it worked with external experts to investigate and offered affected individuals 12 months of identity protection services.
Nov 13, 2025
NHS acknowledges Clop listing but says no data leaked
The UK's National Health Service confirmed it was aware of being named on Clop's cybercriminal site and said no data had been leaked so far. The statement publicly identified the NHS as one of the organizations caught up in the Oracle exploitation wave.
Nov 6, 2025
Clop leak site names dozens of Oracle campaign victims
By early November 2025, Clop's data-leak site listed almost 30 alleged victims from the Oracle E-Business Suite campaign, including organizations such as the UK's NHS, Envoy Air, GlobalLogic, and Harvard University. This marked a broader public expansion of the victim list beyond initially disclosed cases.
Oct 4, 2025
Oracle releases patch for exploited E-Business Suite flaw
Oracle released a patch on October 4, 2025 for a zero-day vulnerability in Oracle E-Business Suite that had been exploited in the campaign. Security firms later said Clop used multiple vulnerabilities in the attacks.
Oct 4, 2025
Victims receive extortion emails tied to Oracle zero-day attacks
After the intrusions, victim organizations received extortion emails demanding payment and threatening to leak stolen data. Reporting indicates Oracle learned of the campaign through these extortion messages, with ransom demands reaching as high as $50 million.
Aug 22, 2025
Attackers maintain access and steal Washington Post data
Between July 10 and August 22, 2025, attackers exfiltrated personal and financial data from The Washington Post affecting nearly 10,000 current and former employees and contractors. Stolen data included names, bank account and routing numbers, and Social Security numbers.
Jul 10, 2025
Clop breaches Washington Post Oracle environment
Threat actors later linked to the Clop extortion group gained access to The Washington Post's Oracle E-Business Suite environment on July 10, 2025. The intrusion was part of a broader campaign targeting Oracle E-Business Suite customers.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Malware
Organizations
Affected Products
Sources
Related Stories
Clop Ransomware Exploitation of Oracle E-Business Suite Zero-Day Vulnerability
Oracle disclosed a critical zero-day vulnerability, CVE-2025-61882, in its E-Business Suite that was actively exploited by the Clop ransomware group to conduct a widespread data theft and extortion campaign. The vulnerability, which affects Oracle E-Business Suite, was addressed in a security advisory released on a Saturday, with Oracle urging customers to apply the patch immediately to mitigate the risk of compromise. Federal cyber authorities and threat intelligence researchers expressed heightened concern following Oracle’s announcement, as the flaw had been exploited for at least eight weeks before some victims received extortion demands. The Clop group leveraged this zero-day, along with other vulnerabilities previously addressed in Oracle’s July security update, to gain unauthorized access to enterprise resource planning (ERP) systems. Once inside, the attackers exfiltrated sensitive data and subsequently targeted executives with spear-phishing emails containing ransom demands, threatening to leak or misuse the stolen information. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61882 to its known exploited vulnerabilities catalog, confirming its use in active ransomware campaigns. Oracle’s Chief Security Officer, Rob Duhart, updated customers via a blog post, providing indicators of compromise and emphasizing the urgency of patching. The FBI’s Cyber Division described the situation as an emergency, highlighting the critical role Oracle E-Business Suite plays in both public and private sector organizations and the high incentive for attackers to weaponize the vulnerability quickly. Security briefings noted that organizations running Oracle E-Business Suite were specifically targeted, with attackers using sophisticated spear-phishing tactics to maximize the impact of their extortion efforts. The campaign’s discovery has amplified concerns about the security of widely used ERP platforms and the increasing sophistication of ransomware groups like Clop. The incident underscores the importance of timely patch management and the need for organizations to monitor for indicators of compromise associated with this vulnerability. The attack has prompted a rapid response from both Oracle and federal agencies, with advisories and threat intelligence updates being disseminated to help organizations defend against ongoing exploitation. The event has also reignited discussions about the risks posed by zero-day vulnerabilities in critical business applications and the necessity for coordinated industry response. As the situation develops, organizations are advised to remain vigilant, apply all relevant security updates, and review their incident response plans to address potential data theft and extortion scenarios. The Clop group’s exploitation of this zero-day highlights the evolving tactics of ransomware actors and the persistent threat they pose to enterprise environments.
1 months ago
Oracle E-Business Suite Zero-Day Exploited by Clop Ransomware Group
Clop ransomware group exploited a zero-day vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882, to compromise major organizations including Schneider Electric, Emerson, Harvard University, and others. The vulnerability allowed unauthenticated remote access to Oracle Concurrent Processing, enabling attackers to exfiltrate large volumes of sensitive data such as ERP records, financial documents, procurement workflows, and engineering files. Clop reportedly maintained access for months, exfiltrating 2.7 terabytes from Emerson and 116 gigabytes from Schneider Electric, with the breach going undetected by traditional monitoring tools. Security experts warn that the impact extends beyond data theft, as attackers may leverage stolen information for extortion, supply chain exploitation, and credential harvesting. Oracle has released patches for CVE-2025-61882 and strongly urges all EBS customers to apply updates immediately. The campaign highlights the risks posed by trusted vendor dependencies and the potential for widespread disruption across critical infrastructure and operational technology supply chains. Attribution remains under investigation, with both Clop and the financially motivated FIN11 group suspected of involvement.
1 months ago
Clop Exploits Oracle E-Business Suite Vulnerability for Data Extortion Attacks
Clop, a Russian-speaking cybercriminal group, has launched a widespread campaign exploiting a critical vulnerability in Oracle E-Business Suite (EBS), targeting hundreds of organizations globally. Allianz UK confirmed that it was among the victims, with the attackers compromising data belonging to 80 current and 670 former customers, though no impact was reported for its subsidiary Liverpool Victoria (LV). The attack vector was traced to Oracle EBS used in Allianz UK's personal lines business, and the company reported the incident to the Information Commissioner's Office. Other notable victims include the Washington Post and Envoy Air, with researchers estimating that dozens of organizations may have been affected since July, exploiting CVE-2025-61882. Clop's campaign is characterized by data exfiltration and extortion rather than traditional ransomware, with the group threatening to leak stolen data unless contacted by victims within a set deadline. Logitech was also named as a target, though the company has not confirmed a breach. The campaign's scale is significant, with at least 835 documented victims attributed to Clop since 2019, and the group has previously exploited vulnerabilities in other file-transfer platforms such as MOVEit and Fortra GoAnywhere. The Oracle EBS vulnerability was first detected in July, with Oracle releasing an initial patch in October that proved insufficient, necessitating a second critical update and leaving many organizations exposed for several days.
1 months ago