Article Title: Canon Targeted in Clop Ransomware Attack Exploiting Oracle E-Business Suite Zero-Day
Canon Inc., a global leader in imaging and optical products, has confirmed a cybersecurity incident involving the Clop ransomware group. The attackers exploited a critical zero-day vulnerability in Oracle E-Business Suite (EBS), identified as CVE-2025-61882, to gain unauthorized access to Canon’s systems.
Incident Overview
The Clop ransomware group, notorious for targeting enterprise software vulnerabilities, listed Canon on its dark web leak site, indicating a successful breach. Canon acknowledged the attack, stating that it was confined to a specific environment within one of its U.S. subsidiaries. The company emphasized that the breach did not extend to its broader network or disrupt global operations.
In a statement, Canon reported that the intrusion was detected promptly, leading to the immediate isolation of affected systems. The company assured stakeholders that the compromised web server had been secured and services resumed. An ongoing investigation aims to ensure no further impact.
Exploitation of Oracle E-Business Suite Vulnerability
The attackers leveraged CVE-2025-61882, a critical vulnerability in Oracle EBS versions 12.2.3 through 12.2.14. This flaw allows unauthenticated remote code execution, enabling attackers to execute arbitrary code on vulnerable servers without authentication. The vulnerability carries a CVSS score of 9.8, underscoring its severity.
Security researchers observed that Clop affiliates began exploiting this vulnerability as early as August 2025, deploying web shells and exfiltrating data before Oracle released a patch in October. The exploitation method involved sending HTTP POST requests to the `/OA_HTML/SyncServlet` endpoint, bypassing authentication mechanisms. Subsequently, attackers utilized the XML Publisher Template Manager to upload malicious templates, facilitating remote code execution upon preview.
Indicators of Compromise (IoCs)
Organizations are advised to monitor their systems for the following IoCs associated with this attack:
– IPv4 Address: 200.107.207.26 (Malicious command and control server)
– IPv4 Address: 185.181.60.11 (Observed exploitation source)
– SHA256 Hash: 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d (Malicious zip archive containing exploit tools)
– SHA256 Hash: 6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b (Python script used for server-side exploitation)
– File Name: FileUtils.java (Malicious web shell downloader)
Clop Ransomware Group’s Tactics
The Clop ransomware group has a history of exploiting zero-day vulnerabilities in enterprise software to conduct large-scale extortion campaigns. In this instance, the group initiated a mass email campaign targeting executives across multiple organizations, claiming successful data theft from Oracle EBS applications. The emails threatened to release stolen data unless a ransom was paid, with some demands reaching up to $50 million.
The group’s methodology involves exploiting vulnerabilities to gain initial access, deploying web shells for persistence, and exfiltrating sensitive data. They often provide victims with proof of compromise, such as file listings or screenshots, to substantiate their claims and pressure organizations into paying ransoms.
Oracle’s Response and Mitigation Measures
Oracle responded to the discovery of CVE-2025-61882 by releasing an emergency security alert and patches to address the vulnerability. The company strongly recommends that customers apply these updates immediately to mitigate the risk of exploitation. Oracle’s advisory also includes indicators of compromise to assist organizations in detecting potential intrusions.
Organizations using Oracle EBS are urged to:
1. Apply Patches Promptly: Ensure that all security patches, including the October 2025 Critical Patch Update, are applied without delay.
2. Monitor for IoCs: Regularly scan systems for the indicators of compromise associated with this vulnerability.
3. Enhance Security Posture: Implement multi-factor authentication, network segmentation, and regular security audits to strengthen defenses against similar attacks.
Conclusion
The Canon incident highlights the critical importance of timely patch management and proactive security measures. As cyber threats continue to evolve, organizations must remain vigilant, ensuring that vulnerabilities are addressed promptly to protect sensitive data and maintain operational integrity.
