"According to new analysis from watchTowr and CrowdStrike, the Clop extortion crew has been raiding Oracle EBS installations since early August, long before the database giant rushed out a fix for a zero-day, tracked as CVE-2025-61882, on October 4. The researchers claim the campaign is both older and wider-reaching than Oracle has admitted so far, with some victims already receiving Clop's trademark extortion emails, which threaten to leak stolen data."
"WatchTowr's analysis shows that the exploit chain, though initially complex, is now trivial to execute thanks to leaked proof-of-concept code circulating online. "At first glance, it looked reasonably complex and required real effort to reproduce manually. But now, with working exploit code leaked, that barrier to entry is gone," Knott warned."
Clop has been exploiting multiple vulnerabilities in Oracle E-Business Suite since early August 2025, exfiltrating large amounts of data and issuing extortion demands to some victims. Oracle released a patch for CVE-2025-61882 on October 4, but attackers had already combined that zero-day with earlier flaws to build an effective attack chain. Proof-of-concept exploit code leaked online has simplified the chain, making exploitation trivial for less-skilled attackers and removing previous reproduction barriers. Large, heavily customized Oracle EBS deployments complicate emergency patching and mitigation, increasing exposure and operational disruption risk for affected organizations. CrowdStrike telemetry corroborates early exploitation timelines.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]