The Clop ransomware group has conducted one of the largest extortion campaigns of 2025-2026, exploiting zero-day vulnerabilities in Oracle E-Business Suite (EBS) to breach nearly 100 organizations worldwide. Victims include major enterprises such as Allianz UK, GlobalLogic (Hitachi), Envoy Air (American Airlines), Harvard University, The Washington Post, and Logitech.
Campaign overview
| Attribute | Details |
|---|
| Threat actor | Clop (CL0P) / GRACEFUL SPIDER |
| Primary CVE | CVE-2025-61882 (CVSS 9.8) |
| Secondary CVE | CVE-2025-61884 (CVSS 7.5) |
| Exploitation start | July 10, 2025 (suspected) |
| Confirmed zero-day exploitation | August 9, 2025 |
| Victims | ~100 organizations |
| Ransom demands | Up to $50 million |
| Discovery | Google Threat Intelligence, Mandiant, CrowdStrike |
Timeline
| Date | Event |
|---|
| July 10, 2025 | Earliest suspicious activity detected |
| August 9, 2025 | Confirmed zero-day exploitation begins |
| September 29, 2025 | Google/Mandiant begin tracking campaign |
| October 11, 2025 | Oracle releases emergency patch for CVE-2025-61884 |
| October 2025 | Oracle patches CVE-2025-61882 |
| November 2025 | Mass victim notifications begin |
| January 2026 | Dartmouth College, University of Pennsylvania confirm breaches |
| February 2026 | Campaign continues; data leaked via Torrent |
The vulnerabilities
CVE-2025-61882 (Critical)
| Attribute | Value |
|---|
| CVSS score | 9.8 (Critical) |
| Component | BI Publisher Integration (Concurrent Processing) |
| Attack vector | Remote, unauthenticated |
| Impact | Arbitrary code execution |
| Affected versions | Oracle EBS 12.2.3 - 12.2.14 |
The vulnerability allows execution of arbitrary code remotely via HTTP without any authentication. No password required, no prior login necessary—simple network access to the EBS server is enough for full control.
CVE-2025-61884 (High)
| Attribute | Value |
|---|
| CVSS score | 7.5 (High) |
| Component | Oracle Configurator Runtime UI |
| Attack vector | Remote, unauthenticated |
| Impact | Sensitive configuration data access |
| Endpoint | UiServlet |
| CISA KEV | Added immediately upon disclosure |
This secondary vulnerability allows remote attackers to access sensitive configuration data without authentication.
Confirmed victims
Financial services
| Organization | Subsidiary | Impact |
|---|
| Allianz UK | Liverpool Victoria (LV=) | 750 customers affected |
| Other insurers | Multiple | Under investigation |
Allianz UK confirmed 80 current customers and 670 previous customers were affected. The attackers accessed systems managing home, car, pet, and travel insurance policies.
Technology and services
| Organization | Parent company | Status |
|---|
| GlobalLogic | Hitachi | Thousands of employees notified |
| Logitech | N/A | Data leaked |
GlobalLogic notified thousands of employees about the compromise and implemented Oracle’s recommended mitigations.
Transportation
| Organization | Parent company | Data affected |
|---|
| Envoy Air | American Airlines | No sensitive/customer data (confirmed) |
Envoy Air stated: “We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected.”
Education
| Institution | Records affected | Status |
|---|
| Harvard University | Unknown | Data leaked |
| Dartmouth College | 40,000+ | Confirmed breach |
| University of Pennsylvania | Unknown | Confirmed breach |
| Organization | Status |
|---|
| The Washington Post | Data leaked, available via Torrent |
Attack methodology
Exploitation chain
| Phase | Action |
|---|
| 1 | Scan for internet-exposed Oracle EBS instances |
| 2 | Exploit CVE-2025-61882 for initial access |
| 3 | Establish persistence |
| 4 | Exfiltrate sensitive data |
| 5 | Deploy extortion notice |
| 6 | Leak data if ransom not paid |
Data-only extortion model
Unlike traditional ransomware that encrypts files, Clop’s Oracle EBS campaign follows their evolved data theft and extortion model:
| Traditional ransomware | Clop Oracle EBS campaign |
|---|
| Encrypt files | No encryption |
| Demand decryption payment | Demand payment to prevent leak |
| Operational disruption | Minimal operational impact |
| Rapid detection | Slower detection (exfiltration only) |
This approach mirrors Clop’s previous MOVEit campaign tactics.
Attribution
CrowdStrike assessment
CrowdStrike tracks the campaign with moderate confidence attribution to GRACEFUL SPIDER (Clop), noting they “cannot rule out the possibility that multiple threat actors have exploited CVE-2025-61882.”
Google/Mandiant assessment
Google Threat Intelligence Group and Mandiant confirmed the campaign is conducted by actors “claiming affiliation with the CL0P extortion brand.”
Clop’s history of mass exploitation
| Campaign | Year | Vulnerability | Victims |
|---|
| Accellion FTA | 2021 | CVE-2021-27101, etc. | ~100 |
| GoAnywhere MFT | 2023 | CVE-2023-0669 | ~130 |
| MOVEit Transfer | 2023 | CVE-2023-34362 | ~2,700 organizations, 95M individuals |
| Oracle EBS | 2025-2026 | CVE-2025-61882, CVE-2025-61884 | ~100 |
The Oracle EBS campaign follows Clop’s established pattern of exploiting enterprise file transfer and ERP software zero-days for mass data theft.
Ransom demands
| Factor | Details |
|---|
| Maximum demand reported | $50 million |
| Payment method | Cryptocurrency |
| Negotiation | Via Clop leak site |
| Data release | Torrent links if unpaid |
According to Halcyon, Clop’s ransom demands in this campaign reached up to $50 million for some victims.
Detection and hunting
Network indicators
| Indicator type | What to monitor |
|---|
| Oracle EBS access | Unusual queries to BI Publisher endpoints |
| Data exfiltration | Large outbound transfers from EBS servers |
| External access | Internet-facing EBS instances |
| C2 traffic | Connections to known Clop infrastructure |
Log analysis
| Log source | Search for |
|---|
| Oracle EBS audit logs | Unauthorized access patterns |
| Web server logs | Requests to vulnerable endpoints |
| Network logs | Large data transfers to external IPs |
| Authentication logs | Failed/anomalous login attempts |
| Priority | Action |
|---|
| Critical | Apply Oracle October 2025 CPU patches |
| Critical | Verify EBS is not internet-exposed |
| High | Review audit logs for exploitation indicators |
| High | Engage incident response if compromise suspected |
Patch verification
| CVE | Patch source |
|---|
| CVE-2025-61882 | Oracle Critical Patch Update (October 2025) |
| CVE-2025-61884 | Oracle emergency patch (October 11, 2025) |
Long-term hardening
| Control | Purpose |
|---|
| Network segmentation | Isolate EBS from internet |
| Web application firewall | Filter malicious requests |
| Data loss prevention | Detect exfiltration attempts |
| Regular patching | Apply CPU updates promptly |
Recommendations
For organizations running Oracle EBS
| Priority | Action |
|---|
| Critical | Confirm patches applied for both CVEs |
| Critical | Verify no internet exposure |
| High | Conduct threat hunting for IOCs |
| High | Review data access logs since July 2025 |
| Medium | Engage third-party assessment if uncertain |
For potentially affected organizations
| Priority | Action |
|---|
| Critical | Assume breach if unpatched during exploitation window |
| High | Engage incident response |
| High | Prepare breach notification |
| High | Monitor Clop leak site for data appearance |
| Medium | Consider legal and regulatory obligations |
Context
The Clop Oracle EBS campaign demonstrates the group’s continued focus on enterprise software zero-days as a mass exploitation vector. Following their devastating MOVEit campaign in 2023, Clop has refined their approach to target widely-deployed enterprise applications where a single vulnerability can yield access to dozens or hundreds of organizations.
The campaign’s targeting of financial services (Allianz UK), technology companies (GlobalLogic, Logitech), transportation (Envoy Air), education (Harvard, Dartmouth, Penn), and media (Washington Post) shows Clop’s opportunistic approach—any organization running vulnerable Oracle EBS was a potential target.
Organizations using Oracle E-Business Suite should verify patching status immediately and assume potential compromise if systems were internet-accessible during the exploitation window (July-October 2025).
