"New analysis by Google Threat Intelligence Group (GTIG) and Mandiant indicates that, while the criminals likely exploited what may be CVE-2025-61882 as a zero-day as early as August 9, weeks before Oracle developed a patch, suspicious HTTP traffic targeting Oracle EBS servers began on July 10. "We're still assessing the scope of this incident, but we believe it affected dozens of organizations," John Hultquist, chief analyst at Google Threat Intelligence Group, told The Register. "Some historic Clop data extortion campaigns have had hundreds of victims. Unfortunately, large scale zero-day campaigns like this are becoming a regular feature of cybercrime.""
"As a reminder of the timeline thus far: In late September, criminals claiming to be affiliated with the notorious Clop cybercrime mob began bombarding execs at numerous organizations with extortion emails, claiming to have stolen sensitive data from their EBS environments. On October 2, Oracle told customers that the crims may have exploited security holes that were patched in July 2025 and recommended that they apply the latest critical patch updates. Two days later, Oracle pushed an emergency patch for a zero-day bug, tracked as CVE-2025-61882, in EBS that Clop had already abused for data theft and extortion."
Suspicious HTTP traffic targeting Oracle E-Business Suite servers began on July 10, with intrusions likely starting as early as July and affecting dozens of organizations. Threat investigators found evidence that criminals likely exploited CVE-2025-61882 as a zero-day as early as August 9, before Oracle released a patch. In late September, Clop-related extortion emails claimed stolen EBS data. Oracle notified customers on October 2 about possible exploitation of patched July flaws and released an emergency patch for CVE-2025-61882 on October 4. Researchers noted potential ties to other data-theft groups and ongoing large-scale zero-day campaigns.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]