Security boffins say the Clop cybercriminal gang has been rummaging through Oracle’s E-Business Suite (EBS) for months – and now the exploit code’s out there for anyone to grab.
Oracle’s EBS deployments are often large, heavily customized, and tightly integrated with internal systems, making emergency patching and mitigation a slow and painful process
According to new analysis from watchTowr and CrowdStrike, the Clop extortion crew has been raiding Oracle EBS installations since early August, long before the database giant rushed out a fix for a zero-day, tracked as CVE-2025-61882, on October 4. The researchers claim the campaign is both older and wider-reaching than Oracle has admitted so far, with some victims already receiving Clop’s trademark extortion emails, which threaten to leak stolen data.
Jake Knott, principal security researcher at watchTowr, told The Register: “Clop has been exploiting multiple vulnerabilities in Oracle EBS since at least August 2025, stealing large amounts of data from several victims, and has been sending extortion emails to some of those victims since last Monday.”
He added that the latest vulnerability, which Oracle patched just days ago, has already been weaponized publicly. “By Monday morning, exploit code for that same flaw was already public,” Knott said. “The attack chains together multiple vulnerabilities – including several patched in July and the one just released on October 4.”
WatchTowr’s analysis shows that the exploit chain, though initially complex, is now trivial to execute thanks to leaked proof-of-concept code circulating online. “At first glance, it looked reasonably complex and required real effort to reproduce manually. But now, with working exploit code leaked, that barrier to entry is gone,” Knott warned.
CrowdStrike’s telemetry backs up that timeline. In a separate report, the security firm said it had identified Clop exploiting the Oracle zero-day as early as August 9, targeting exposed EBS portals to exfiltrate data from corporate systems. CrowdStrike noted that while the attackers’ initial goal was focused on large data grabs for later extortion, the public release of the exploit code now means “follow-on activity from additional threat actors is highly likely.”
- Clop crew hits Oracle E-Business Suite users with fresh zero-day
- Six ransomware gangs behind over 50% of 2024 attacks
- Oracle tells Clop-targeted EBS users to apply July patch, problem solved
- Clop-linked crims shake down Oracle execs with data theft claims
Oracle has said little since issuing its weekend security alert, which described the vulnerability as a pre-authentication remote code execution flaw in E-Business Suite’s OA Framework. The bug carries a CVSS score of 9.8 and allows attackers to run arbitrary commands on vulnerable systems without needing credentials. The company’s advisory stopped short of confirming exploitation in the wild, but security vendors now say that ship sailed weeks ago.
The situation is particularly ugly for enterprises that rely on EBS to handle HR, payroll, supply chain and financial data, all of which are high-value targets for extortion-driven operations like Clop’s. Oracle’s EBS deployments are often large, heavily customized, and tightly integrated with internal systems, making emergency patching and mitigation a slow and painful process.
Knott said the window for action is now “measured in hours, not days.” “Based on the evidence, we believe this is Clop activity, and we fully expect to see mass, indiscriminate exploitation from multiple groups within days,” he told The Register. “If you run Oracle EBS, this is your red alert. Patch immediately, hunt aggressively, and tighten your controls – fast.”
The warning caps off a chaotic few days for Oracle and its customers. What began as a quiet weekend security update has rapidly escalated into a full-blown scramble, with unpatched systems exposed to publicly available exploit code and one of the most prolific extortion crews already in the mix. For many Oracle admins, it’s shaping up to be a very long week indeed. ®
