Overview and What Cybereason Knows So Far
- July 2025, Oracle released security updates including 309 patches, which included nine that addressed flaws/vulnerabilities in Oracle E-Business Suite (EBS).
- July 2025 (end of) through September 2025 (beginning of), Cybereason has assessed based on emerging evidence and ongoing forensic investigations, that CL0P orchestrated an Intrusion Path that allowed for unauthorized access to on-premise, customer-managed Oracle E-Business Suite (EBS) solutions, enumerated accessible and stored data, and conducted data exfiltration.
- September 2025 (end of) through October 2025 (beginning of), a widespread orchestrated email extortion campaigns emerged targeting users of on-premise, customer-managed Oracle E-Business Suite (EBS) and requesting contact with CL0P in order to not expose data allegedly exfiltrated.
- October 2025 (beginning of), Cybereason is aware of ongoing investigations in which CL0P has provided proof of data. CL0P does not appear to have named new victims associated with this incident as of October 4, 2025.
Evidence of Exploit Targeting Oracle EBS
Cybereason has been made aware of extortion emails having been sent to numerous companies in which a claim was made alleging a compromise of the organization’s Oracle E-Business Suite and exfiltration of data. The emails provide CL0P-controlled contact addresses (which correspond to those on CL0P’s leak site) and urge the victim to negotiate, threatening to leak or sell stolen data if payment is not made. The emails explicitly invoke CL0P’s notoriety (“We are CL0P team…”) and direct victims to reach out to specific email addresses to arrange payment. The contact emails provided by the extortionists exactly match addresses listed on CL0P’s public data leak site.
The sheer volume and distribution of the emails that has been observed by incident response vendors and victims alike is interesting in that they were sent via hundreds of presumably compromised email accounts across various legitimate organizations (not from a single mail server), indicating a concerted effort to mask source and evade email filtering, although in some instances, Cybereason is aware of a high rate of successful email filtering which may result in some victims not being made aware that they were targeted. Mandiant (Google’s incident response unit) confirmed that at least two of the compromised sender accounts are known to have been used in past CL0P/FIN11 operations.
Initial Intrusion Vector (IIV) and Technical Exploitation Details
Initial Intrusion Vector (IIV) / Stage 1 of the Cybereason Intrusion Path is an ongoing point of analysis and determination. It is not known yet if a novel zero-day or an abuse of prior documented weaknesses in Oracle EBS may have contributed as root cause. Initial investigative paths point to a potential exploitation of July 2025 vulnerabilities that were previously identified and patched in the July 2025 Critical Patch Update (CPU) cycle for Oracle products. In that quarterly update, 309 new patches were introduced addressing 165 CVEs across various Oracle product families. Within this release, nine patches were issued for Oracle E-Business Suite. Among these, three vulnerabilities (CVE-2025-30746 affecting iStore, CVE-2025-30745 affecting MES for Process Manufacturing, and CVE-2025-50107 affecting Universal Work Queue) were rated medium in severity. Each was exploitable remotely by unauthenticated attackers through HTTP, though successful exploitation was noted as requiring some level of user interaction. These flaws existed in EBS web-facing components and could enable limited interaction with the application if unpatched.
CL0P Attribution
The TTPs in this Oracle EBS incident including mass emails to many organizations, leveraging of a software flaw/configuration common to many companies, and extortion without immediate encryption closely mirror CL0P’s past data-theft extortion campaigns targeting system or platforms that hold Client data including Accellion FTA (2020/2021), Fortra GoAnywhere (2023), MOVEit Transfer (2023) and Cleo Harmony, VLTrader, and LexiCom products (2024).
In those investigations, Cybereason’s Digital Forensics and Incident Response (DFIR) teams identified that CL0P rapidly exploited zero-day vulnerabilities to steal data from hundreds of organizations and then demanded ransom to refrain from leaking the data. CL0P’s involvement is assessed by Cybereason as in character and consistent for their observed playbook in recent years in that they appear to have identified organizations where Oracle EBS systems were internet facing and leveraged an Initial Intrusion Vector (IIV) to gain unauthorized access and achieve data exfiltration, quietly and at scale, across many victims. CL0P often conducts extensive reconnaissance, custom code development, CVE attack chaining and coordinates mass scale victimization in rapid, iterative, and sometimes parallel succession, all of which are suspected and parts of which are beginning to be found in this campaign.
The financial motive is clear by claiming to have stolen ERP data (e.g., financial records, HR data, customer info, etc.) from high-value companies, CL0P pressures executive leadership to settle extortion demands quietly. CL0P’s message to BleepingComputer even referenced Oracle, claiming “Oracle bugged up their core product and once again, the task is on CL0P to save the day…we only expect payment for services to protect [the] biggest companies”. This tongue-in-cheek “white knight” narrative is a known CL0P tactic to justify their extortion as a service rather than a crime.
Oracle Corporation publicly addressed the situation on October 2, 2025, via a statement by CSO Rob Duhart. Oracle confirmed awareness of the extortion emails targeting EBS customers and stated that their internal investigation found “potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update”. While Oracle stopped short of attributing the attacks to CL0P, the company’s guidance was unequivocal in that all Oracle EBS users should immediately apply July 2025 CPU patches and review the security of any EBS instance exposed to the internet. As this was not an exploit of Oracle’s cloud or infrastructure (it involved on-premise/customer-managed systems), Oracle’s role is advisory in which they reiterated the critical importance of timely patching and strong configuration, hinting that proper SSO/MFA could have mitigated the attack vector.
Recommendations
Below are key recommendations from our DFIR team:
- Implement Oracle July patching
- Cybereason notes that Oracle EBS relies on other Oracle components (e.g., Database, Fusion Middleware), which should also be updated as part of the July CPU to fully close known vulnerabilities.
- Integration of Oracle EBS login portals with SSO/MFA solution.
- Integration of WAF, Firewall and Web Access logging into SIM/Log Aggregator for longer-term solution for data preservation.
- If you are an Oracle EBS customer, scan your email spam filter and mailbox infrastructure for the CL0P emails to see if you have received outreach, but it may have been blocked. Sender IPs and email address suggestions available upon request.
- For any Client of Oracle EBS that had not implemented full July 2025 patching before July 31, 2025, engage in a thorough Digital Forensics & Incident
- Response focused investigation to ensure that if the Intrusion Path did or did not occur within your environment related to this event (e.g., backdoors, webshells, remote access or data exfiltration tools, etc.), that evidence of password resets, user or service account manipulation, compromised credentials, etc. should be identified, contained, and remediated appropriately as well as patching levels of products are validated and verified.
