Back to Alerts

Security Alert: Cl0p Abuses Oracle E-Business Suite for Account Takeover

Published on
October 2, 2025

Summary

New evidence now indicates Cl0p likely used a newly-identified zero-day (CVE-2025-61882) and additional Oracle vulnerabilities to exploit internet-facing Oracle E-Business Suite (EBS) environments, successfully stealing data as early as August 2025.

Halcyon previously identified that data stolen by Cl0p likely derived from internet-exposed EBS webpages, but now assesses the actors exploited vulnerabilities in these internet-exposed environments rather than a password reset vulnerability. Oracle has provided patches and indicators of compromise (IOCs) for the zero day, an unauthenticated remote code execution vulnerability impacting EBS versions 12.2.3–12.2.14.

Targets

Internet-facing EBS portals. Environments not exposed to the internet remain unaffected.

Technical Note

This newly-identified vulnerability allows unauthenticated attackers to execute code remotely over HTTP without user interaction.

CVEs

CVE-2025-61882 (critical unauthenticated RCE) is being actively exploited. Additional vulnerabilities leveraged may include CVEs listed in Oracle's July 2025 Critical Patch Update.

Mitigation

  • Patch vulnerabilities associated with this campaign by:
    1. Confirming installation of the October 2023 Critical Patch Update prerequisite
    2. Installing patches for vulnerabilities issued in July 2025
    3. Installing the patch for CVE-2025-61882
  • Restrict or remove internet exposure of EBS portals by:
    1. Checking if EBS portals are publicly accessible via https://<IP or FQDN of EBS app server>/OA_HTML/AppsLocalLogin.jsp [M1030]
    2. If exposed, placing EBS behind a hardened reverse proxy and restricting access by source networks [M1037]
    3. If exposed, disabling or securing the password reset function to require secondary verification [M1054]
  • Conduct other mitigation best practices, including:
    • Monitoring for anomalous logins, resets, and configuration changes [M1047]
    • Hardening email security to reduce risk of mailbox compromise [M1021]
    • Enforcing multi-factor authentication (MFA) for all accounts, including local EBS logins [M1032]
    • Deploying a dedicated anti-ransomware solution to block malicious binaries pre-execution [M1038], detect runtime behavior [M1040], protect network paths needed for agent management [M1031], and harden tested backups [M1053]

References

  • • Oracle Security Alert for CVE-2025-61882
  • • Halcyon Threat Actor Profile: Cl0p Ransomware
Source Summary

This Alert is based on Halcyon observations, open-source information, and ongoing research. Findings reflect our current understanding of threat actor activity and may be updated as new evidence emerges.

Related Alerts

See All Ransomware Alerts
Energy, Utilities & Waste
October 29, 2025
2025

Security Alert: Everest Group Targeting Critical Infrastructure

This is some text inside of a div block.
Read More

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!