A collaboration between the Google Threat Intelligence Group (GTIG) and Mandiant has revealed an alarming extortion campaign that exploits a zero-day vulnerability in Oracle E-Business Suite (EBS). The group responsible, which shows affinity with the well-known CL0P brand, has carried out months of silent intrusion and data exfiltration, culminating in a series of extortion emails addressed to executives in several sectors beginning on September 29, 2025. Oracle has responded by publishing emergency patches and urges that they be applied immediately.
The vulnerability, identified as CVE-2025-61882 with a CVSS score of 9.8, has been exploited since July 2025. The main objective has been to access Oracle EBS, a critical platform for finance, purchasing, human resources, and operations. The extortion campaign has used emails sent from compromised accounts, displaying real lists of stolen files to lend credibility to their demands.
The intrusion method was carried out through two vulnerabilities in EBS: UiServlet and SyncServlet, which allowed remote code execution without requiring authentication. Once inside, the attackers used a set of sophisticated tools, including the GOLDVEIN.JAVA variant, to connect to command-and-control (C2) servers and deploy additional payloads.
The campaign poses a serious risk due to access to critical data stored in EBS, the use of in-memory payloads that hinder detection by security systems, and CL0P's ability to carry out large-scale repeated attacks.
In light of this threat, experts recommend immediate measures: apply the emergency patches, audit XDO templates to detect unusual activities, limit Internet access from EBS servers, intensify monitoring, and be prepared to respond to extortion situations.
The situation underscores the importance of rapid patching and of being alert to indicators of compromise to mitigate any potential damage and protect critical information.
More information and references in Cloud News.
