The Clop ransomware gang has been exploiting a critical zero-day vulnerability in Oracle’s E-Business Suite (EBS) since at least early August, according to cybersecurity firm CrowdStrike. The flaw, tracked as CVE-2025-61882, was discovered in the BI Publisher Integration component of Oracle EBS's Concurrent Processing module and allows unauthenticated attackers to remotely execute code on vulnerable systems. Oracle released a patch to address the issue.
Security researchers from watchTowr Labs discovered that the vulnerability is part of a broader chain that can be exploited with a single HTTP request, giving attackers full control over targeted systems without requiring user interaction. The analysis followed the leak of a proof-of-concept exploit by the Scattered Lapsus$ Hunters cybercrime group, which had been circulating online since May.
CrowdStrike reports that the Clop ransomware group, also known as Graceful Spider, began using the flaw as a zero-day starting August 9 to steal sensitive documents from affected organizations. While Clop is believed to be the main perpetrator behind the attacks, it is possible that other threat groups may also be exploiting the same vulnerability.
CrowdStrike warned that the public release of the proof-of-concept on October 3, combined with Oracle’s recent patch, is likely to spark a wave of new exploitation attempts by threat actors familiar with Oracle EBS systems.
Mandiant and Google’s Threat Intelligence Group (GTIG) previously reported that Clop has been contacting executives at compromised companies with extortion demands. The group is threatening to leak stolen data unless ransom payments are made.
In June, the US State Department announced a $10 million reward for information that could help link Clop’s ransomware operations to a foreign government.
