Oracle E-Business Suite Zero-Day Used in Large-Scale Extortion Campaign

TL;DR

Google Threat Intelligence Group and Mandiant tracked a mass extortion campaign beginning Sept. 29, 2025, in which an actor claiming CL0P affiliation targeted Oracle E-Business Suite (EBS) environments and sent high-volume emails to executives. The intrusions appear to have relied on zero-day exploitation of EBS components, with Oracle issuing emergency patches in October 2025.

What happened

Starting Sept. 29, 2025, researchers at GTIG and Mandiant observed a widespread extortion operation in which threat actors sent large numbers of emails to corporate executives asserting they had stolen data from Oracle E-Business Suite deployments. Investigations show intrusion activity dating back to at least July 10, 2025, with likely zero-day exploitation of EBS components observed as early as Aug. 9. The actors leveraged multiple exploit chains that targeted UiServlet and SyncServlet functionality, deployed malicious XSL/XML templates into EBS database tables, and in some cases exfiltrated substantial amounts of data. The extortion messages were delivered from many compromised third-party accounts and included contact addresses tied to the CL0P data leak site; the messages contained legitimate file listings from victims to substantiate claims. Oracle released emergency patches in early October 2025 and provided updated fixes on Oct. 11 addressing related CVEs.

Why it matters

• Mass exploitation of EBS zero-days shows how enterprise application flaws can be leveraged for broad extortion campaigns.
• The campaign combined pre-existing intrusion activity with a high-volume email phase, increasing the likelihood of successful extortion against many organizations.
• Malicious templates stored in EBS databases represent a persistent post-exploitation mechanism that can enable remote code execution and data theft.
• Oracle issued emergency fixes; organizations that have not applied the updates remain at elevated risk of compromise and extortion.

Key facts

• GTIG and Mandiant began tracking the extortion campaign on Sept. 29, 2025.
• Suspicious activity targeting Oracle EBS was observed as early as July 10, 2025, with likely zero-day exploitation beginning around Aug. 9, 2025.
• Threat actor claimed affiliation with the CL0P extortion brand and used contact addresses support@pubstorm.com and support@pubstorm.net.
• Attack chains targeted UiServlet and SyncServlet components and abused XDO Template Manager and Template Preview functionality.
• Malicious payloads were stored in the XDO_TEMPLATES_B database table with TemplateCode prefixes like TMP or DEF and TemplateType values of XSL-TEXT or XML.
• Extortion emails were sent from hundreds or thousands of compromised third-party accounts whose credentials were likely sourced from infostealer logs.
• Oracle released patches on Oct. 4, 2025 addressing CVE-2025-61882 and issued an additional patch on Oct. 11, 2025 for CVE-2025-61884.
• In some incidents, investigators confirmed significant data exfiltration; as of the report, GTIG had not observed victims posted on the CL0P data leak site.

What to watch next

• Monitor HTTP requests for POST to /OA_HTML/SyncServlet and requests to /OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG with TemplateCode parameters — these are high-fidelity indicators of compromise.
• Look for unexpected entries in the XDO_TEMPLATES_B database table with TemplateCode prefixes like TMP or DEF and TemplateType set to XSL-TEXT or XML.
• Track email threats claiming EBS breaches that originate from large numbers of diverse third-party accounts and use support@pubstorm.com or support@pubstorm.net as contact points.
• Whether targeted victims will be published on the CL0P data leak site is not confirmed in the source.

Quick glossary

• Zero-day vulnerability: A software flaw unknown to the vendor or without an available patch at the time it is exploited by attackers.
• Oracle E-Business Suite (EBS): A suite of integrated business applications from Oracle used for enterprise resource planning, supply chain, and other business processes.
• XSLT / XSL: A language for transforming XML documents; can be abused in some environments to execute code when processing templates.
• Extortion campaign: A criminal operation that threatens publication of stolen data or disruption unless a ransom or payment is made.
• Server-Side Request Forgery (SSRF): An attack where a vulnerable server is tricked into making unintended requests, potentially exposing internal resources.

Reader FAQ

Did attackers exploit a zero-day in Oracle EBS?
Researchers observed likely zero-day exploitation of Oracle EBS components beginning in August 2025, though exact mappings between all exploit chains and specific CVEs remain unclear.

Has Oracle released fixes for the vulnerabilities?
Oracle issued emergency patches in early October 2025 and released additional updates; specifically, fixes related to CVE-2025-61882 and CVE-2025-61884 were published.

Were victims posted on the CL0P data leak site?
As of the report, GTIG had not observed victims from this campaign posted on the CL0P data leak site.

Who is responsible for the campaign?
The actor claimed affiliation with the CL0P brand, but attribution to a specific group or overlaps with FIN11 were not definitively confirmed in the source.

Written by: Peter Ukhanov, Genevieve Stark, Zander Work, Ashley Pearson, Josh Murchie, Austin Larsen Update (Oct. 11): On Oct. 11, Oracle released another patch, addressing CVE-2025-61884. Introduction Beginning Sept. 29,…

Sources

• Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign

Related posts

• North Korea’s UNC5342 Uses EtherHiding to Deliver Malware via Blockchains
• UNC5142 Abuses BNB Smart Chain and EtherHiding to Spread Infostealers
• New ROBOT Malware Family Linked to Russian State-Sponsored COLDRIVER