In October 2025, Google’s Threat Intelligence Group and Mandiant revealed a sophisticated campaign targeting organizations using Oracle’s E-Business Suite (EBS). Dozens of companies were compromised via a zero-day flaw (CVE-2025-61882, CVSS 9.8), with intrusion activity traced back to August 2025.
While the full breadth of damage is still under investigation, the breach displays classic extortion tactics seen in prior CL0P operations-demanding ransom payments for non-disclosure of stolen data.
How the Attack Worked
- Attackers chained multiple vulnerabilities-SSRF, CRLF injection, authentication bypass, and XSL template injection-to trigger remote code execution in Oracle EBS servers. A key exploit path involved abusing the /OA_HTML/SyncServlet component and injecting malicious XSL payloads.
- The payloads included GOLDVEIN.JAVA, a downloader variant, and a loader named SAGEGIFT designed to deploy further malicious components. These allowed attackers to establish reverse shells, carry out reconnaissance, and maintain persistence.
- Compromised accounts (e.g. “applmgr”) were used for internal movement and executing commands via Java and Bash processes.
- To initiate the extortion portion, adversaries launched a high-volume email campaign beginning September 29, 2025. They sent messages to executives from previously compromised third-party accounts, claiming exfiltration of Oracle EBS data and demanding ransom.
- Although none of the victims have yet been listed on CL0P’s public data leak site, the pattern is consistent with previous campaigns where the threat actors delay disclosure.
Lessons for Critical Industries
Though this incident targeted Oracle EBS infrastructure, the risk spans multiple sectors that rely on enterprise applications:
- Financial Services & FinTech – heavy use of ERP systems for accounting, client data, and billing
- Retail & Consumer Goods – inventory, supply chain, order data often managed in integrated systems
- Manufacturing / Industrial – operations, procurement, and vendor management handled via ERP suites
- Healthcare / Life Sciences – administrative systems, billing, supplier systems
- Government & Public Sector – public services, resource planning, interdepartmental data transfers
In these sectors, compromising an ERP system like Oracle EBS can lead to widespread data exposure, disruption of business continuity, and regulatory consequences.
Defensive Measures to Prioritize
- Apply Security Patches Promptly Ensure Oracle EBS systems are updated to versions where CVE-2025-61882 is patched.
- Harden Input Surfaces Block or validate use of XSL processing, template preview endpoints, and restrict use of vulnerable servlet components.
- Deploy Intrusion Detection / Web Application Firewalls (WAFs) Monitor for SSRF or template injection patterns, abnormal requests, and outbound connections from application servers.
- Least Privilege & Segmentation Limit access of application accounts (like “applmgr”) and isolate EBS infrastructure from general network zones.
- Behavioral Monitoring & Threat Hunting Monitor for sudden internal process spawning, binaries executed from unexpected paths, or network connections to unusual endpoints.
- Email Authentication & Spoof Protection Harden email systems and executive inboxes to resist extortion campaigns sent via compromised third-party accounts.
- Red Team & Attack Simulation Emulate chained exploit paths (SSRF → template injection → code execution) to test defenses and response playbooks.
Conclusion
This CL0P-linked campaign targeting Oracle EBS is another stark example of how threat actors are zeroing in on enterprise application vulnerabilities-especially those that serve as core systems in organizations. Attackers are increasingly able to chain multiple weaknesses, bypass defenses, and weaponize trusted infrastructure for data exfiltration and extortion.
Protection today requires more than patching. It demands deep visibility, threat modeling of application logic, tight segmentation, and scenario-based testing. The era of “trusted enterprise systems” is over-our defenses must evolve accordingly.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services
Given threats like the Oracle EBS exploit, we also deliver ERP/enterprise application security audits, template injection and deserialization assessments, extortion simulation and resilience testing, and post-breach incident response planning customized for large systems.
Follow COE Security on LinkedIn for ongoing insights into safe, compliant AI adoption and to stay updated and cyber safe.