The Reveal Platform
Intel Name: Oracle e-business suite zero-day exploited in widespread extortion campaign
Date of Scan: October 10, 2025
Impact: High
Summary: Beginning in late September 2025, a threat actor linked to the CL0P extortion group launched a large-scale campaign targeting organizations using Oracle E-Business Suite (EBS). The attackers claimed to have stolen sensitive data and used email-based extortion tactics against executives. Investigations revealed the exploitation of a zero-day vulnerability, likely CVE-2025-61882, which was abused as early as August 9, 2025, before a patch was available. Oracle released critical and emergency patches in response. The campaign involved a multi-stage Java implant framework and showed signs of earlier intrusion activity dating back to July 2025.
