Cl0p gang hacks Oracle, exploiting Oracle's own EBS zero-day
Oracle becomes victim to its own E-Business Suite (EBS) zero-day on Thursday, after, in a "catch me if you can" moment, Cl0p ransomware claims the software and cloud computing company as part of the gang's latest Oracle-fueled hacking spree.
-
Cl0p ransomware gang compromises Oracle itself using the company's EBS vulnerability in ironic twist to ongoing hacking spree.
-
Oracle listing appeared then quickly disappeared from Cl0p's leak site, suggesting cloud company may have initiated contact.
-
With mud on its face, Oracle faces same extortion tactics it warned customers about, after its delayed patches in October left thousands vulnerable.
The Austin, Texas-based company was posted on the ransomware group's dark leak blog on Thursday, as if to rub Oracle's nose in its own cybersecurity failures, after the group exploited its E-Business Suite (EBS) software in a critical zero-day attack this summer, impacting dozens of companies so far, and still counting.
Still, the victim post itself provided very little information, simply listing Oracle's headquarters and street address, phone number, website, annual revenue of $59 billion, and the industry sector.
In red letters, Cl0p also left its signature clap back, typically found at the bottom of each victim post, "The company doesn't care about its customers. It ignored their security!!!'
But the entire scenario appears to be short-lived. Once word began to spread about the hack, and by the time Cybernews went to check Cl0p's onion site to verify the post, Oracle's victim entry was nowhere to be found.
Luckily, one cyber threat intel analyst at Fujitsu UK had screenshotted the Cl0p Oracle post and reposted it for cybersecurity analyst and researcher, Dominic Alvieri, on X.
"Oracle has been breached by Cl0p Ransomware via Oracle E-Business Suite zero-day CVE-2025-61882," wrote Alvieri, who broke the news of the wayward hack on X just after 10:00 a.m. Eastern Time.
Leak site post: pic.twitter.com/CwovKFHmII
undefined TriptySec (@TriptySecCTI) November 20, 2025
This missing post leads Cybernews to assume that representatives for Oracle have at least made contact with the group, or may have begun negotiating a ransom demand, even if only to get their company's name off the leak site and public view.
Oracle can’t get a break
Dozens of organizations have already fallen victim to Cl0p’s EBS zero-day hacking campaign, which Google researchers say dates back to July.
The suite of productivity applications – used by thousands of companies and organizations worldwide – allows clients to manage customers, suppliers, manufacturing, logistics, and other business processes.
The Cl0p exploit, which Google says successfully chains together multiple vulnerabilities – including the CVE-2025-61882 zero-day – allows unauthenticated Remote Code Execution (RCE) in Oracle EBS, enabling the group to steal hoards of customer data.
First reported by Oracle on October 2nd, most companies had been unaware of the zero-day for months, leaving them open to compromise, with many only discovering they had been breached in August after receiving a surprise ransom demand email from the gang.
If victims ignore the email or choose not to pay, Cl0p publishes the stolen data for download on the dark web. “Dearest Executive,” the email reads. “We have recently breached your Oracle E-Business Suite application and copied a lot of documents.”
“All the private files and other information are now held on our systems. But don't worry. You can always save your data for payment, “ Cl0p goes on, urging the victim to “protect your business reputation” and pay the “claimed sum.”
To add to Oracle’s misery, the first emergency patch released by the company failed, prompting a second critical patch, leaving customers exposed to the zero-day for another six days, after already being exposed for months.
High-profile companies named this week include the UK's National Health System (NHS) (data published), Humana, Mazda, Mazda USA, and Pheonix U. The Cl0p spree also claimed The Washington Post this month, with the daily D.C. paper having to alert thousands of WoPo customers their personal data had been breached.
Other Oracle EBS victims include: Harvard University; American Airlines' largest regional carrier, Envoy Air; multinational critical IT services provider DXC Technology; and the fourth-largest US school district, Chicago Public Schools.
Meanwhile, the Cl0p cartel, known for going big and playing the long game, is also known for taunting its victims with cryptic messages, many steeped in irony – with Oracle, obviously, being no exception.
One might say that Oracle, in this case, is getting it from "both ends" as the expression goes.
Operating since at least 2020, Cl0p’s past campaigns – exploiting file transfer programs MOVEit, Fortra GoAnywhere, and Cleo, as the most recent – have compromised nearly 3,000 major organizations, raking in hundreds of millions of dollars.
The MOVEIT exploit, which occurred in 2023, was one of the most extensive hacking campaigns ever, affecting over 2,600 organizations and nearly 90 million individuals.
Unlock more exclusive Cybernews content on YouTube.
