Google Issues Alert on CL0P Ransomware Actively Exploiting Oracle E-Business Suite Zero-Day

Organizations using Oracle E-Business Suite must apply the October 4 emergency patches immediately to mitigate active, in-the-wild exploitation by CL0P extortion actors and hunt for malicious templates in their databases.

Beginning September 29, 2025, Google Threat Intelligence Group (GTIG) and Mandiant identified a massive email campaign targeting executives at dozens of organizations, alleging theft of sensitive data from Oracle E-Business Suite (EBS) environments.

The extortion messages, sent from hundreds of compromised third-party accounts, included legitimate file listings dating back to mid-August. Although no victims have yet appeared on the CL0P DLS, past campaigns suggest data may be published several weeks after the initial outreach.

On October 2, Oracle reported that exploited vulnerabilities had been patched in July’s Critical Patch Update and urged customers to apply the latest CPU immediately.

Two days later, Oracle released emergency fixes specifically addressing CVE-2025-61882 and reiterated the need to stay current ...