Hackers exploit critical Oracle E-Business vulnerability to target and extort corporate executives amid mass data theft campaign
Oracle Faces Zero-Day Exploit in E-Business Suite
Oracle has confirmed a zero-day vulnerability in its widely used E-Business Suite that allowed hackers to steal sensitive executive data. The flaw, tracked as CVE-2025-61882, could be exploited remotely without login credentials, making it especially dangerous for organizations.
- Zero-day status means Oracle had no time to patch before exploitation began.
- The vulnerability allowed hackers to bypass authentication and access sensitive systems.
- Oracle released an urgent security patch and advised all users to update immediately.
Clop Hackers Behind Targeted Extortion Campaign
The Clop ransomware group, known for prior high-profile cyberattacks, was identified as the perpetrators behind the exploit. The group used the vulnerability to launch a mass data theft and extortion campaign, specifically targeting corporate executives.
- Victims began receiving extortion emails demanding ransom to avoid exposure.
- Emails were sent around September 29, targeting Oracle users directly.
- The attackers threatened to publish executive personal data online.
Executive-Level Targets and Data at Risk
Oracle’s E-Business Suite is used by thousands of global enterprises, handling sensitive HR and customer data. The attack focused on stealing executive-level personal information, increasing the stakes and urgency for affected companies.
- Hackers accessed employee records and customer files.
- Stolen data was used to intimidate and extort corporate decision-makers.
- Some executives received emails, but many victims remain unaware.
Timeline Reveals Prolonged Exploitation
The campaign’s timeline indicates that much of the exploitation occurred in August, shortly after Oracle’s previous patch release in July. This suggests that Clop exploited previously unknown flaws, adapting quickly to security updates.
- The flaw was not identified until widespread misuse was detected.
- Oracle’s earlier assumption that extortion had ceased was premature.
- Google’s Mandiant division confirmed the ongoing nature of the attack.
Oracle Responds with Indicators of Compromise
In response, Oracle’s Chief Security Officer Rob Duhart updated the company’s advisory, now providing indicators of compromise (IOCs). These help customers check if their systems were breached and determine the scope of potential exposure.
- Oracle advises immediate installation of the newest security patch.
- Security teams are urged to monitor networks for IOC activity.
- The company’s shift in tone signals the seriousness and persistence of the threat.
