Oracle Corporation has recently addressed a critical zero-day vulnerability in its E-Business Suite, a flagship business software product, which was actively exploited by the notorious Clop hacking group to steal personal information of corporate executives. The vulnerability, officially designated as CVE-2025-61882, allowed attackers to gain unauthorized access over a network without requiring a username or password.
In a security advisory updated over the weekend, Oracle’s Chief Security Officer, Rob Duhart, announced the release of a patch to rectify this flaw and strongly urged customers to implement the update promptly. The advisory also provided indicators of compromise to assist organizations in identifying potential breaches within their systems.
Oracle’s E-Business Suite is utilized by thousands of organizations globally to manage critical operations, including customer data and employee human resources files. The exploitation of this zero-day vulnerability posed a significant risk to the confidentiality and integrity of sensitive information stored within these systems.
The term zero-day refers to vulnerabilities that are exploited by attackers before the software vendor becomes aware of them, leaving no time (zero days) for the vendor to develop and distribute a fix. In this instance, Oracle was unaware of the flaw until it was actively being exploited by the Clop group.
This development marks a shift from Oracle’s earlier stance. Initially, the company acknowledged that some executives had received extortion emails linked to previously identified vulnerabilities patched in July, suggesting that the extortion campaign had concluded. However, the discovery of this new zero-day vulnerability indicates that the Clop hackers continued to exploit unknown flaws in Oracle’s E-Business software.
The extortion attempts targeting corporate executives came to light last week. On October 2, Google security researchers reported that the Clop group, known for numerous ransomware attacks and extortion attempts in recent years, had been sending emails to Oracle executives around September 29. These emails demanded payment to prevent the online publication of their personal information.
Charles Carmakal, Chief Technology Officer of Google’s incident response unit Mandiant, stated in a LinkedIn post that the vulnerabilities in Oracle’s E-Business software were being exploited in a mass exploitation campaign aimed at data theft and extortion. He noted that much of the exploitation occurred during August, following the release of patches in July.
Clop has been sending extortion emails to several victims since last Monday, Carmakal said, adding that the hackers have not yet reached out to all potential victims.
