Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Oracle E-Business Suite Cl0p multi-vulnerability exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 65
3 unique sources, 6 articles

Summary

Hide ▲

Oracle E-Business Suite (EBS) exploitation tied to Clop / FIN11 has been ongoing since at least August 9, 2025, with CVE-2025-61882 used for unauthenticated remote code execution and data theft. Google Threat Intelligence Group (GTIG) and Mandiant said the campaign likely exfiltrated a significant amount of data, and that extortion emails sent since September 29 referenced contact addresses [email protected] and [email protected]. Oracle released an emergency patch on October 4 for affected 12.2.3-12.2.14 versions, and GTIG said patched servers are likely no longer vulnerable to known exploitation chains.

Cases

Oracle E-Business Suite CVE-2025-61882 exploitation, extortion, and breach fallout (6) Oracle E-Business Suite CVE-2025-61882 exploitation, extortion, and breach fallout (6)

Related Happenings

Storm-1175 high-velocity exploit campaign

Campaign
First: 06.04.2026 19:56 Last: 06.04.2026 19:56 Sources 1

About this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...

Open Happening

Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave

Exploitation Wave
First: 26.03.2026 18:00 Last: 26.03.2026 18:00 Sources 1

About this happening: **Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...

Open Happening

Oracle WebLogic actively exploited unauthenticated RCE flaw (CVE-2026-21962)

Vulnerability
First: 26.03.2026 18:00 Last: 26.03.2026 18:00 Sources 1

About this happening: **Oracle WebLogic**'s **CVE-2026-21962** was being **actively exploited** almost immediately after public exploit code appeared, creating a **CVSS 10.0** unauthenticated RCE risk...

Open Happening

Oracle security patch release for CVE-2026-21992

Security Patch Release
First: 21.03.2026 12:24 Last: 21.03.2026 12:24 Sources 1

About this happening: **Oracle** released **security updates** for **CVE-2026-21992**, a critical flaw in **Identity Manager** and **Web Services Manager** that could enable **unauthenticated remote co...

Open Happening

Oracle Identity Manager and Oracle Web Services Manager unauthenticated RCE (CVE-2026-21992)

Vulnerability
First: 20.03.2026 20:48 Last: 20.03.2026 20:48 Sources 1

About this happening: Oracle issued an **out-of-band update** to fix **CVE-2026-21992**, a **critical unauthenticated remote code execution** flaw in **Oracle Identity Manager** and **Oracle Web Servic...

Open Happening

Timeline

  1. 03.12.2025 15:23 1 articles · 5mo ago

    University of Phoenix discloses Clop-linked Oracle EBS breach

    Victim Impact Update

    University of Phoenix disclosed a data breach on its website and through a Phoenix Education Partners 8-K after detecting unauthorized activity on November 21; the school said Clop-linked attackers exploited Oracle E-Business Suite CVE-2025-61882 to steal names, contact information, dates of birth, social security numbers, and bank account and routing numbers tied to current and former students, employees, faculty, and suppliers.

    Show sources
    Open in new tab
  2. 14.10.2025 19:38 2 articles · 7mo ago

    Oracle patches CVE-2025-61884 in Oracle E-Business Suite

    Mitigation Patch Update

    Oracle's weekend out-of-band security update fixed CVE-2025-61884 in Oracle E-Business Suite after active exploitation tied to a ShinyHunters-leaked proof-of-concept. The patch addresses a pre-authentication SSRF flaw, validates attacker-supplied `return_url` with a regular expression, and rejects injected CRLF, with researchers saying the SSRF component is now fixed.

    Show sources
    Open in new tab
  3. 10.10.2025 13:15 1 articles · 7mo ago

    GTIG links Oracle EBS extortion campaign to Clop/FIN11

    Attribution Update

    Google Threat Intelligence Group and Mandiant said Clop/FIN11 likely began targeting Oracle E-Business Suite instances as early as August 9, 2025 and later used extortion emails sent since September 29 to executives at several organizations, including messages tied to [email protected] and [email protected]. The researchers said the campaign followed months of intrusion activity, that CVE-2025-61882 exploitation began before patches were available, and that the threat actor had already exfiltrated a significant amount of Oracle EBS data.

    Show sources
    Open in new tab
  4. 07.10.2025 08:12 1 articles · 7mo ago

    First known Oracle E-Business Suite exploitation on August 9, 2025

    Exploitation Observed

    CrowdStrike identified the first known exploitation of CVE-2025-61882 in Oracle E-Business Suite on August 9, 2025, marking the start of the abuse pattern tied to Graceful Spider (aka Cl0p). The flaw is a critical unauthenticated remote code execution vulnerability in exposed Oracle EBS environments.

    Show sources
    Open in new tab
  5. 07.10.2025 08:12 3 articles · 7mo ago

    CrowdStrike and WatchTowr detail Oracle EBS CVE-2025-61882 abuse on October 7, 2025

    Initial Disclosure

    CrowdStrike attributed exploitation of CVE-2025-61882 in Oracle E-Business Suite to Graceful Spider (aka Cl0p) with moderate confidence, and WatchTowr Labs described a chain that uses /OA_HTML/SyncServlet for authentication bypass, SSRF and CRLF Injection, and requests to /OA_HTML/RF.jsp and /OA_HTML/OA.jsp to upload and execute a malicious XSLT template in Oracle's XML Publisher Template Manager. CISA had also added CVE-2025-61882 to the Known Exploited Vulnerabilities (KEV) catalog, noting ransomware use and requiring federal agencies to apply fixes by October 27, 2025.

    Show sources
    Open in new tab