Cl0p Exploits Oracle EBS Zero-Day in Widespread Extortion Campaign, FBI Issues Emergency Warning
Cl0p-Affiliated Group Exploits Oracle E-Business Suite Zero-Day (CVE-2025-61882) for Months, Triggering FBI Alert
Impact Scope
Affected Companies
Industries Affected
CVE Identifiers
MITRE ATT&CK Techniques
Exploit Public-Facing Application
Application Layer Protocol: Web Protocols
OS Credential Dumping
Exfiltration Over Alternative Protocol
Phishing
Exploitation for Privilege Escalation
Full Report(when first published)
Executive Summary
A critical, unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2025-61882, in Oracle E-Business Suite (EBS) has been actively exploited by a sophisticated, financially motivated threat actor since at least August 2025. The attackers, claiming affiliation with the Cl0p ransomware gang, leveraged this zero-day flaw to exfiltrate large amounts of sensitive data from numerous organizations globally before launching a widespread extortion campaign in late September. The vulnerability carries a CVSS score of 9.8 (Critical) and allows for a full system compromise without authentication. In response to the active exploitation and severe risk, the FBI issued an emergency warning urging all affected organizations to apply Oracle's patches immediately. The incident underscores the significant danger posed by zero-day vulnerabilities in widely used enterprise software, particularly when exploited by organized cybercrime groups.
Threat Overview
The attack targets a vulnerability in the BI Publisher Integration component of Oracle's Concurrent Processing product, affecting EBS versions 12.2.3 through 12.2.14. Threat intelligence from Google and Mandiant indicates that exploitation began as early as August 9, 2025, with suspicious reconnaissance traffic detected in July. This gave the attackers a nearly two-month window to operate covertly.
The campaign became overt around September 29, 2025, when the threat actors initiated a high-volume email extortion campaign. These emails, sent to high-level executives, claimed that their organization's Oracle EBS environment had been breached and sensitive data stolen. The attackers demanded a ransom to prevent the public release of the stolen information. The group deployed a suite of custom, fileless malware—including GOLDVEIN, SAGEGIFT, SAGELEAF, and SAGEWAVE—designed to execute in memory and evade traditional file-based antivirus detection.
Technical Analysis
The attack chain likely begins with the exploitation of CVE-2025-61882. This vulnerability allows an unauthenticated attacker with network access via HTTP to achieve remote code execution. The attackers likely used this initial access to deploy their sophisticated, multi-stage malware.
Malware Suite
- GOLDVEIN.JAVA: A Java-based validator tool used to test for the presence of the vulnerability on target systems.
- SAGEGIFT: A sophisticated C++ keylogger and credential harvester.
- SAGELEAF: A reconnaissance tool used to map the internal network and identify high-value targets.
- SAGEWAVE: The primary backdoor and data exfiltration tool, which communicates with C2 servers over encrypted channels.
MITRE ATT&CK TTPs
T1190 - Exploit Public-Facing Application: The initial attack vector, exploiting CVE-2025-61882 in the internet-facing Oracle EBS.T1071.001 - Application Layer Protocol: Web Protocols: Used for initial exploitation and likely for command and control (C2) communications.T1059.006 - Command and Scripting Interpreter: Python: The fileless malware components are reportedly written in languages like C++ and Java, but post-exploitation scripts are common.T1003 - OS Credential Dumping: The SAGEGIFT malware component is a keylogger and credential harvester, used to steal credentials for lateral movement.T1048 - Exfiltration Over Alternative Protocol: Attackers exfiltrated large volumes of data, likely using encrypted channels to avoid detection.T1486 - Data Encrypted for Impact: While not a traditional ransomware attack that encrypts on-site, the threat of data release serves the same extortion purpose.
Impact Assessment
The impact of this campaign is severe and widespread. Harvard University has publicly confirmed it was a victim, and dozens of other organizations across healthcare, finance, and supply chain sectors are believed to be affected. The exfiltrated data, which includes sensitive customer and corporate information, exposes victims to significant financial loss, regulatory fines (e.g., under GDPR or HIPAA), and reputational damage. The American Hospital Association (AHA) specifically warned of the grave risk to the healthcare sector, a major user of Oracle EBS and a primary target of cybercrime. The attackers' long dwell time allowed for deep infiltration and comprehensive data theft, making recovery and damage assessment incredibly complex.
IOCs
| Type | Value | Description |
|---|---|---|
| CVE | CVE-2025-61882 | Critical RCE in Oracle EBS BI Publisher Integration. |
| CVE | CVE-2025-61884 | Related vulnerability patched by Oracle. |
| Malware Family | GOLDVEIN | Initial access and validation tool. |
| Malware Family | SAGEGIFT | Keylogger and credential harvester. |
| Malware Family | SAGELEAF | Reconnaissance tool. |
| Malware Family | SAGEWAVE | Backdoor and data exfiltration tool. |
Cyber Observables for Detection
| Type | Value | Description | Context | Confidence |
|---|---|---|---|---|
| url_pattern | */OA_HTML/BneViewer* |
Potential exploitation path related to the BI Publisher component. | Web server logs, WAF logs | medium |
| url_pattern | */OA_HTML/ibeCA* |
Another potential area for suspicious requests in EBS. | Web server logs, WAF logs | medium |
| process_name | FNDLIBR |
The Concurrent Manager process in Oracle EBS. Monitor for anomalous child processes. | EDR, Sysmon logs (Event ID 1) | high |
| command_line_pattern | java -jar |
The GOLDVEIN validator is a Java application. Look for suspicious Java processes spawned by the Oracle application user. | EDR, Sysmon logs (Event ID 1) | high |
| network_traffic_pattern | Unusual outbound connections from EBS servers |
Monitor for large data transfers or connections to non-standard ports or untrusted IPs from EBS application servers. | Netflow, Firewall logs, IDS/IPS | high |
Detection & Response
Security teams should immediately hunt for signs of compromise dating back to July 2025.
- Log Analysis: Scrutinize HTTP access logs for Oracle EBS servers for suspicious requests, particularly those targeting the BI Publisher component. Look for unusual user agents, large numbers of
404or500errors, or requests from known malicious IP addresses. - Endpoint Detection: Use EDR solutions to hunt for in-memory execution of the malware families (GOLDVEIN, SAGEGIFT, etc.). Monitor for processes spawned by Oracle services that execute suspicious commands or make outbound network connections.
- Network Monitoring: Implement Network Traffic Analysis (D3-NTA) to detect anomalous data flows from EBS servers. Baseline normal traffic and alert on large exfiltration volumes or connections to unusual destinations.
Response actions should prioritize isolating compromised systems, applying the Oracle patches, and initiating a full-scope incident response investigation to determine the extent of data exfiltration.
Mitigation
- Immediate Patching: The highest priority is to apply the emergency patches released by Oracle for CVE-2025-61882 and the related CVE-2025-61884. This is a D3FEND
Software Update(D3-SU) countermeasure. - Network Segmentation: Restrict network access to the Oracle EBS application. As a D3FEND
Network Isolation(D3-NI) measure, ensure the application is not directly exposed to the internet. If it must be, use a WAF with strict rulesets. - Credential Hygiene: Force a reset of all passwords for accounts with access to the Oracle EBS environment, especially privileged accounts. Implement Multi-factor Authentication (D3-MFA) wherever possible.
- Enhanced Monitoring: Increase logging levels on EBS servers and surrounding network infrastructure. Implement robust monitoring and alerting for the observables listed above.
Timeline of Events
Article Updates
October 13, 2025
New details emerge on Oracle EBS zero-day (CVE-2025-61882) exploitation, with TA505 joining Cl0p. Detailed exploit chain and NCSC warning issued.
Update Sources:
MITRE ATT&CK Mitigations
Update Software
Immediately apply the patches released by Oracle to remediate CVE-2025-61882 and CVE-2025-61884.
Mapped D3FEND Techniques:
Restrict network access to Oracle EBS servers. Do not expose them directly to the internet if possible. Use a WAF or reverse proxy to filter traffic.
Mapped D3FEND Techniques:
Implement comprehensive logging and monitoring for EBS servers and related network traffic to detect signs of compromise.
Multi-factor Authentication
Enforce MFA for all user accounts, especially privileged ones, to prevent misuse of stolen credentials.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
The most critical and immediate action is to apply the emergency patches from Oracle that address CVE-2025-61882 and CVE-2025-61884. This directly closes the initial access vector used by the attackers. Organizations must prioritize patching internet-facing Oracle E-Business Suite instances immediately. Given the 'stop-what-you're-doing' nature of the FBI warning, these patches should bypass normal testing cycles and be deployed under emergency change procedures. After patching, it is crucial to verify the patch installation was successful across all relevant application and database tiers. A vulnerability scanner should be used to confirm that the flaw is no longer detectable. This action is the primary preventative control against this specific attack campaign.
To detect potential compromise and ongoing data exfiltration, deploy Network Traffic Analysis focused on the Oracle EBS servers. Security teams should establish a baseline of normal network behavior for these servers, including typical destinations, protocols, and data volumes. Configure alerts for significant deviations from this baseline, such as connections to new or untrusted IP addresses, use of non-standard ports, or large, sustained outbound data transfers. Specifically monitor for traffic patterns matching the SAGEWAVE backdoor's C2 communication or data exfiltration. This detective control is vital for identifying compromised systems that were breached before patches could be applied, allowing incident response teams to contain the threat.
On the Oracle EBS hosts, implement detailed process monitoring to detect the execution of the fileless malware suite (SAGEGIFT, SAGELEAF, SAGEWAVE). Use an EDR solution or native tools like Sysmon to log all process creations and their parent-child relationships. Specifically, monitor the FNDLIBR process (Concurrent Manager) and other core EBS processes for spawning anomalous child processes like cmd.exe, powershell.exe, or unexpected java instances. Since the malware is fileless, detection should focus on behavioral indicators like memory injection, suspicious API calls, and network connections originating from legitimate Oracle processes. This technique is crucial for identifying post-exploitation activity on already-compromised servers.
Sources & References(when first published)
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats