{"id":133953,"date":"2025-11-21T03:38:16","date_gmt":"2025-11-21T03:38:16","guid":{"rendered":"https:\/\/cybersecuritynews.com\/?p=133953"},"modified":"2025-11-21T03:38:38","modified_gmt":"2025-11-21T03:38:38","slug":"oracle-breach-clop-ransomware","status":"publish","type":"post","link":"https:\/\/cybersecuritynews.com\/oracle-breach-clop-ransomware\/","title":{"rendered":"Oracle Allegedly Breached by Clop Ransomware via E-Business Suite 0-Day Hack"},"content":{"rendered":"\n

The notorious Clop ransomware<\/a> gang has listed Oracle on its dark web leak site, alleging a successful breach of the tech giant’s internal systems.<\/p>\n\n\n\n

This development is part of a massive extortion campaign exploiting a critical zero-day vulnerability in Oracle E-Business Suite (EBS), designated as CVE-2025-61882<\/a>.<\/p>\n\n\n\n

The group, tracked as Graceful Spider, claims to have exfiltrated sensitive data from Oracle and dozens of its high-profile customers, marking a significant escalation in supply chain attacks reminiscent of the MOVEit incident.\u200b<\/p>\n\n\n\n

The Zero-Day Exploit: CVE-2025-61882<\/strong><\/h2>\n\n\n\n

The attack vector centers on a critical, unauthenticated remote code execution (RCE) vulnerability in Oracle E-Business Suite<\/a>.<\/p>\n\n\n\n

Security researchers indicate that Clop affiliates began exploiting this flaw as early as August 2025, months before Oracle released a patch in October 2025.<\/p>\n\n\n\n

The exploit chain specifically targets the OA_HTML\/SyncServlet<\/code> endpoint to bypass authentication, followed by malicious XSLT template injection via OA_HTML\/RF.jsp<\/code> to execute arbitrary commands.<\/p>\n\n\n\n

This “pre-auth” nature allowed attackers to compromise servers without valid credentials, granting them full control over sensitive ERP data.\u200b<\/p>\n\n\n\n

Vulnerability Detail<\/th>Technical Specification<\/th><\/tr><\/thead>
CVE ID<\/strong><\/td>CVE-2025-61882<\/td><\/tr>
Affected Product<\/strong><\/td>Oracle E-Business Suite (Versions 12.2.3 \u2013 12.2.14)<\/td><\/tr>
Vulnerability Type<\/strong><\/td>Unauthenticated Remote Code Execution (RCE)<\/td><\/tr>
CVSS Score<\/strong><\/td>9.8 (Critical)<\/td><\/tr>
Exploit Vector<\/strong><\/td>Authentication Bypass via SyncServlet<\/code> & XSLT Injection<\/td><\/tr>
Patch Status<\/strong><\/td>Patched (October 2025 Security Alert)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Extortion Campaign and High-Profile Victims<\/strong><\/h2>\n\n\n\n

Evidence from Clop’s leak site displays a “PAGE CREATED” status for ORACLE.COM, appearing alongside major entities such as MAZDA.COM, HUMANA.COM, and the Washington Post<\/a>.<\/p>\n\n\n\n

The listing of Oracle Corporation itself suggests the vendor may have fallen victim to its own software flaw, potentially exposing internal corporate data.<\/p>\n\n\n

\n
\"\"\/<\/figure><\/div>\n\n\n

Victims report receiving extortion emails from addresses like support@pubstorm[.]com, threatening the release of financial and personal records if ransom demands are not met.\u200b<\/p>\n\n\n\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

The notorious Clop ransomware gang has listed Oracle on its dark web leak site, alleging a successful breach of the tech giant’s internal systems. This development is part of a massive extortion campaign exploiting a critical zero-day vulnerability in Oracle E-Business Suite (EBS), designated as CVE-2025-61882. The group, tracked as Graceful Spider, claims to have […]<\/p>\n","protected":false},"author":1,"featured_media":133955,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhsqqo1YB24Vyv2SsaO3Ticu2Beu5ZKBGN9ycOzWZa0XvTIXWbwB5bC_DJHKaEriKW_PWo2QRijKB-Y8g17fePmqnsBDHBpIV6xwb9AoCLvUQMrf7qD_Etw556b1t6ANIxqDjNPGlmZEEMpKYXHnjzCVefj35MjIOSSuf3kjCkkYJcs2GZXblXx8D5aeedP\/s16000\/Oracle%20Breach%20Clop%20Ransomware.webp","fifu_image_alt":"Oracle Breach Clop Ransomware","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2821,11],"tags":[149,151],"class_list":{"0":"post-133953","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-attack-news","8":"category-cyber-security-news","9":"tag-cyber-security","10":"tag-cyber-security-news"},"yoast_head":"\nOracle Allegedly Breached by Clop Ransomware via E-Business Suite 0-Day Hack<\/title>\n<meta name=\"description\" content=\"The notorious Clop ransomware gang has listed Oracle on its dark web leak site, alleging a successful breach of the tech giant's internal systems.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cybersecuritynews.com\/oracle-breach-clop-ransomware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Oracle Allegedly Breached by Clop Ransomware via E-Business Suite 0-Day Hack\" \/>\n<meta property=\"og:description\" content=\"The notorious Clop ransomware gang has listed Oracle on its dark web leak site, alleging a successful breach of the tech giant's internal systems.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cybersecuritynews.com\/oracle-breach-clop-ransomware\/\" \/>\n<meta property=\"og:site_name\" content=\"Cyber Security News\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Hackingtutorialsandnews\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/guruba008\" \/>\n<meta property=\"article:published_time\" content=\"2025-11-21T03:38:16+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-11-21T03:38:38+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhsqqo1YB24Vyv2SsaO3Ticu2Beu5ZKBGN9ycOzWZa0XvTIXWbwB5bC_DJHKaEriKW_PWo2QRijKB-Y8g17fePmqnsBDHBpIV6xwb9AoCLvUQMrf7qD_Etw556b1t6ANIxqDjNPGlmZEEMpKYXHnjzCVefj35MjIOSSuf3kjCkkYJcs2GZXblXx8D5aeedP\/s16000\/Oracle%20Breach%20Clop%20Ransomware.webp\" \/><meta property=\"og:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhsqqo1YB24Vyv2SsaO3Ticu2Beu5ZKBGN9ycOzWZa0XvTIXWbwB5bC_DJHKaEriKW_PWo2QRijKB-Y8g17fePmqnsBDHBpIV6xwb9AoCLvUQMrf7qD_Etw556b1t6ANIxqDjNPGlmZEEMpKYXHnjzCVefj35MjIOSSuf3kjCkkYJcs2GZXblXx8D5aeedP\/s16000\/Oracle%20Breach%20Clop%20Ransomware.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Guru Baran\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhsqqo1YB24Vyv2SsaO3Ticu2Beu5ZKBGN9ycOzWZa0XvTIXWbwB5bC_DJHKaEriKW_PWo2QRijKB-Y8g17fePmqnsBDHBpIV6xwb9AoCLvUQMrf7qD_Etw556b1t6ANIxqDjNPGlmZEEMpKYXHnjzCVefj35MjIOSSuf3kjCkkYJcs2GZXblXx8D5aeedP\/s16000\/Oracle%20Breach%20Clop%20Ransomware.webp\" \/>\n<meta name=\"twitter:creator\" content=\"@guruba008\" \/>\n<meta name=\"twitter:site\" content=\"@The_Cyber_News\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Guru Baran\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Oracle Allegedly Breached by Clop Ransomware via E-Business Suite 0-Day Hack","description":"The notorious Clop ransomware gang has listed Oracle on its dark web leak site, alleging a successful breach of the tech giant's internal systems.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cybersecuritynews.com\/oracle-breach-clop-ransomware\/","og_locale":"en_US","og_type":"article","og_title":"Oracle Allegedly Breached by Clop Ransomware via E-Business Suite 0-Day Hack","og_description":"The notorious Clop ransomware gang has listed Oracle on its dark web leak site, alleging a successful breach of the tech giant's internal systems.","og_url":"https:\/\/cybersecuritynews.com\/oracle-breach-clop-ransomware\/","og_site_name":"Cyber Security News","article_publisher":"https:\/\/www.facebook.com\/Hackingtutorialsandnews","article_author":"https:\/\/www.facebook.com\/guruba008","article_published_time":"2025-11-21T03:38:16+00:00","article_modified_time":"2025-11-21T03:38:38+00:00","og_image":[{"url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhsqqo1YB24Vyv2SsaO3Ticu2Beu5ZKBGN9ycOzWZa0XvTIXWbwB5bC_DJHKaEriKW_PWo2QRijKB-Y8g17fePmqnsBDHBpIV6xwb9AoCLvUQMrf7qD_Etw556b1t6ANIxqDjNPGlmZEEMpKYXHnjzCVefj35MjIOSSuf3kjCkkYJcs2GZXblXx8D5aeedP\/s16000\/Oracle%20Breach%20Clop%20Ransomware.webp","type":"","width":"","height":""},{"width":1600,"height":900,"url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhsqqo1YB24Vyv2SsaO3Ticu2Beu5ZKBGN9ycOzWZa0XvTIXWbwB5bC_DJHKaEriKW_PWo2QRijKB-Y8g17fePmqnsBDHBpIV6xwb9AoCLvUQMrf7qD_Etw556b1t6ANIxqDjNPGlmZEEMpKYXHnjzCVefj35MjIOSSuf3kjCkkYJcs2GZXblXx8D5aeedP\/s16000\/Oracle%20Breach%20Clop%20Ransomware.webp","type":"image\/jpeg"}],"author":"Guru Baran","twitter_card":"summary_large_image","twitter_image":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhsqqo1YB24Vyv2SsaO3Ticu2Beu5ZKBGN9ycOzWZa0XvTIXWbwB5bC_DJHKaEriKW_PWo2QRijKB-Y8g17fePmqnsBDHBpIV6xwb9AoCLvUQMrf7qD_Etw556b1t6ANIxqDjNPGlmZEEMpKYXHnjzCVefj35MjIOSSuf3kjCkkYJcs2GZXblXx8D5aeedP\/s16000\/Oracle%20Breach%20Clop%20Ransomware.webp","twitter_creator":"@guruba008","twitter_site":"@The_Cyber_News","twitter_misc":{"Written by":"Guru Baran","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"NewsArticle","@id":"https:\/\/cybersecuritynews.com\/oracle-breach-clop-ransomware\/#article","isPartOf":{"@id":"https:\/\/cybersecuritynews.com\/oracle-breach-clop-ransomware\/"},"author":{"name":"Guru Baran","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/f7f138f8fd41a61bb60151da47730026"},"headline":"Oracle Allegedly Breached by Clop Ransomware via E-Business Suite 0-Day Hack","datePublished":"2025-11-21T03:38:16+00:00","dateModified":"2025-11-21T03:38:38+00:00","mainEntityOfPage":{"@id":"https:\/\/cybersecuritynews.com\/oracle-breach-clop-ransomware\/"},"wordCount":313,"publisher":{"@id":"https:\/\/cybersecuritynews.com\/#organization"},"image":{"@id":"https:\/\/cybersecuritynews.com\/oracle-breach-clop-ransomware\/#primaryimage"},"thumbnailUrl":"https:\/\/i1.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhsqqo1YB24Vyv2SsaO3Ticu2Beu5ZKBGN9ycOzWZa0XvTIXWbwB5bC_DJHKaEriKW_PWo2QRijKB-Y8g17fePmqnsBDHBpIV6xwb9AoCLvUQMrf7qD_Etw556b1t6ANIxqDjNPGlmZEEMpKYXHnjzCVefj35MjIOSSuf3kjCkkYJcs2GZXblXx8D5aeedP\/s16000\/Oracle%20Breach%20Clop%20Ransomware.webp?w=1600&resize=1600,900&ssl=1","keywords":["cyber security","cyber security news"],"articleSection":["Cyber Attack News","Cyber Security News"],"inLanguage":"en-US","copyrightYear":"2025","copyrightHolder":{"@id":"https:\/\/cybersecuritynews.com\/#organization"}},{"@type":"WebPage","@id":"https:\/\/cybersecuritynews.com\/oracle-breach-clop-ransomware\/","url":"https:\/\/cybersecuritynews.com\/oracle-breach-clop-ransomware\/","name":"Oracle Allegedly Breached by Clop Ransomware via E-Business Suite 0-Day Hack","isPartOf":{"@id":"https:\/\/cybersecuritynews.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cybersecuritynews.com\/oracle-breach-clop-ransomware\/#primaryimage"},"image":{"@id":"https:\/\/cybersecuritynews.com\/oracle-breach-clop-ransomware\/#primaryimage"},"thumbnailUrl":"https:\/\/i1.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhsqqo1YB24Vyv2SsaO3Ticu2Beu5ZKBGN9ycOzWZa0XvTIXWbwB5bC_DJHKaEriKW_PWo2QRijKB-Y8g17fePmqnsBDHBpIV6xwb9AoCLvUQMrf7qD_Etw556b1t6ANIxqDjNPGlmZEEMpKYXHnjzCVefj35MjIOSSuf3kjCkkYJcs2GZXblXx8D5aeedP\/s16000\/Oracle%20Breach%20Clop%20Ransomware.webp?w=1600&resize=1600,900&ssl=1","datePublished":"2025-11-21T03:38:16+00:00","dateModified":"2025-11-21T03:38:38+00:00","description":"The notorious Clop ransomware gang has listed Oracle on its dark web leak site, alleging a successful breach of the tech giant's internal systems.","breadcrumb":{"@id":"https:\/\/cybersecuritynews.com\/oracle-breach-clop-ransomware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cybersecuritynews.com\/oracle-breach-clop-ransomware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/oracle-breach-clop-ransomware\/#primaryimage","url":"https:\/\/i1.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhsqqo1YB24Vyv2SsaO3Ticu2Beu5ZKBGN9ycOzWZa0XvTIXWbwB5bC_DJHKaEriKW_PWo2QRijKB-Y8g17fePmqnsBDHBpIV6xwb9AoCLvUQMrf7qD_Etw556b1t6ANIxqDjNPGlmZEEMpKYXHnjzCVefj35MjIOSSuf3kjCkkYJcs2GZXblXx8D5aeedP\/s16000\/Oracle%20Breach%20Clop%20Ransomware.webp?w=1600&resize=1600,900&ssl=1","contentUrl":"https:\/\/i1.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhsqqo1YB24Vyv2SsaO3Ticu2Beu5ZKBGN9ycOzWZa0XvTIXWbwB5bC_DJHKaEriKW_PWo2QRijKB-Y8g17fePmqnsBDHBpIV6xwb9AoCLvUQMrf7qD_Etw556b1t6ANIxqDjNPGlmZEEMpKYXHnjzCVefj35MjIOSSuf3kjCkkYJcs2GZXblXx8D5aeedP\/s16000\/Oracle%20Breach%20Clop%20Ransomware.webp?w=1600&resize=1600,900&ssl=1","width":"1600","height":"900","caption":"Oracle Breach Clop Ransomware"},{"@type":"BreadcrumbList","@id":"https:\/\/cybersecuritynews.com\/oracle-breach-clop-ransomware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/cybersecuritynews.com\/"},{"@type":"ListItem","position":2,"name":"Oracle Allegedly Breached by Clop Ransomware via E-Business Suite 0-Day Hack"}]},{"@type":"WebSite","@id":"https:\/\/cybersecuritynews.com\/#website","url":"https:\/\/cybersecuritynews.com\/","name":"Cyber Security News","description":"World's #1 Premier Cybersecurity and Hacking News Portal","publisher":{"@id":"https:\/\/cybersecuritynews.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cybersecuritynews.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/cybersecuritynews.com\/#organization","name":"Cyber Security News","url":"https:\/\/cybersecuritynews.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/logo\/image\/","url":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2021\/06\/Cyber-security.jpg","contentUrl":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2021\/06\/Cyber-security.jpg","width":200,"height":200,"caption":"Cyber Security News"},"image":{"@id":"https:\/\/cybersecuritynews.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Hackingtutorialsandnews","https:\/\/x.com\/The_Cyber_News","https:\/\/www.linkedin.com\/company\/cybersecurity-news\/"]},{"@type":"Person","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/f7f138f8fd41a61bb60151da47730026","name":"Guru Baran","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/72f86da0bb72b6886d25f0ef0c881daba3a98356bc44f916f8d3a62c9e856579?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/72f86da0bb72b6886d25f0ef0c881daba3a98356bc44f916f8d3a62c9e856579?s=96&d=mm&r=g","caption":"Guru Baran"},"description":"Gurubaran is the Co-Founder and Editor-in-Chief of CyberSecurityNews.com, specializing in vulnerability analysis, malware research, ransomware, and computer forensics.","sameAs":["https:\/\/cybersecuritynews.com","https:\/\/www.facebook.com\/guruba008","https:\/\/www.linkedin.com\/in\/gurubaran-cyberwrites\/","https:\/\/x.com\/guruba008"],"url":"https:\/\/cybersecuritynews.com\/author\/guru\/"}]}},"jetpack_featured_media_url":"https:\/\/i1.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhsqqo1YB24Vyv2SsaO3Ticu2Beu5ZKBGN9ycOzWZa0XvTIXWbwB5bC_DJHKaEriKW_PWo2QRijKB-Y8g17fePmqnsBDHBpIV6xwb9AoCLvUQMrf7qD_Etw556b1t6ANIxqDjNPGlmZEEMpKYXHnjzCVefj35MjIOSSuf3kjCkkYJcs2GZXblXx8D5aeedP\/s16000\/Oracle%20Breach%20Clop%20Ransomware.webp?w=1600&resize=1600,900&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/133953","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/comments?post=133953"}],"version-history":[{"count":1,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/133953\/revisions"}],"predecessor-version":[{"id":133954,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/133953\/revisions\/133954"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/media\/133955"}],"wp:attachment":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/media?parent=133953"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/categories?post=133953"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/tags?post=133953"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}