The Clop ransomware gang, also known as Graceful Spider, has claimed responsibility for a major cyberattack on Oracle Corporation, listing the tech giant on its dark web leak site. This breach is part of a large-scale extortion campaign exploiting a critical zero-day vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882.
This incident underscores the growing threat of supply chain attacks, reminiscent of the MOVEit breach, and raises serious concerns for enterprises relying on Oracle’s ERP solutions.
What Happened?
Clop affiliates allegedly exfiltrated sensitive data from Oracle and numerous high-profile customers. Screenshots from Clop’s leak site show Oracle listed alongside major organizations such as Mazda, Humana, and The Washington Post, signaling a widespread impact across industries.
Victims report receiving extortion emails from addresses like support@pubstorm[.]com, threatening to release confidential financial and personal records unless ransom demands are met.
The Zero-Day Exploit Explained
The attack leverages a critical unauthenticated remote code execution (RCE) vulnerability in Oracle E-Business Suite. According to security researchers, Clop began exploiting this flaw as early as August 2025, months before Oracle issued a patch in October 2025.
How the Exploit Works
- Step 1: Authentication Bypass
Attackers target theOA_HTML/SyncServletendpoint to bypass authentication. - Step 2: Malicious Payload Injection
UsingOA_HTML/RF.jsp, they inject a malicious XSLT template, enabling arbitrary command execution.
This pre-auth nature means attackers could compromise servers without valid credentials, granting full control over sensitive ERP data.
Technical Specifications
| Detail | Specification |
|---|---|
| CVE ID | CVE-2025-61882 |
| Affected Versions | Oracle EBS 12.2.3 – 12.2.14 |
| Vulnerability Type | Unauthenticated Remote Code Execution |
| CVSS Score | 9.8 (Critical) |
| Exploit Vector | SyncServlet Auth Bypass + XSLT Injection |
| Patch Status | Patched (October 2025 Security Alert) |
Impact on Enterprises
The breach has far-reaching implications for businesses using Oracle EBS for financial management, supply chain operations, and HR systems. Attackers potentially accessed:
- Financial records
- Customer data
- Employee information
- Sensitive ERP configurations
Such exposure can lead to regulatory penalties, brand reputation damage, and operational disruptions.
Clop’s Extortion Strategy
Clop’s modus operandi involves data theft followed by ransom demands. Victims are pressured to pay to prevent public disclosure of stolen data. The group’s leak site currently lists dozens of global enterprises, signaling a coordinated campaign targeting Oracle’s ecosystem.
Mitigation and Response
Oracle released a critical patch in October 2025. Organizations should:
- Apply the latest security updates immediately
- Conduct vulnerability scans for exposed endpoints
- Implement Web Application Firewalls (WAF)
- Enable multi-layered monitoring for suspicious activity
Why This Matters
This attack highlights the increasing sophistication of ransomware gangs and the importance of timely patch management. With ERP systems being the backbone of enterprise operations, vulnerabilities like CVE-2025-61882 can have catastrophic consequences.
