Everything You Need to Know About the Oracle Data Breach

Article Highlights:

• The cybercriminal organization known as Cl0p has exploited a zero-day vulnerability in Oracle’s E-Business Suite, leading to critical data breaches for dozens of large corporations. The ransomware group is asking for significant payouts from some of the world’s largest companies, allegedly including Broadcom, Estée Lauder, Mazda, and Canon. 
• A zero-day vulnerability is a security gap in a piece of software, hardware, or firmware that’s unknown to its developers and therefore susceptible to exploitation by cybercriminals and other malicious actors. 
• To date, over 100 companies have been impacted by Cl0p’s Oracle EBS attacks. In a 24-hour period between November 20 and November 21, the group reportedly exploited breaches and exfiltrated data from 29 companies. These companies are headquartered everywhere from the U.S. to Japan to Saudi Arabia, and include several corporations valued at hundreds of billions of dollars. 

Beginning on Thursday, November 20, and continuing through the following day, the cybercriminal organization known as Cl0p exploited a zero-day vulnerability in Oracle’s E-Business Suite, leading to critical data breaches for dozens of large corporations. The ransomware group is asking for significant payouts from some of the world’s largest companies, allegedly including Broadcom, Estée Lauder, Mazda, and Canon. In an email sent by Cl0p and obtained by the media, the cybercriminals emphasize that they “do not seek political power or care about any business.” Rather, the organization’s sole objective is to coerce the targeted companies to “pay claimed sum.”

Who Is Cl0p?

The cybercriminal group that’s claimed responsibility for the attacks on Oracle E-Business Suite customers calls itself Cl0p. The Russian-speaking group has been around since at least 2019, and has launched myriad large-scale ransomware attacks since its inception. Cl0p is notorious for its sophisticated extortion techniques and advanced malware, and has successfully extorted more than $500 million to date. 

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Cl0p “is known for frequently changing malware and driving global trends in criminal malware distribution.” Widely considered “one of the largest phishing and malspam distributors worldwide,” Cl0p has exploited data breaches for more than 8,000 companies, including 3,000 U.S. organizations, since it first appeared six years ago. 

What Is a Zero-Day Vulnerability, and How Did Cl0p Exploit It?

A zero-day vulnerability is a security gap in a piece of software, hardware, or firmware that’s unknown to its developers, and therefore susceptible to exploitation by cybercriminals and other malicious actors. As the University of Tennessee Office of Innovative Technologies aptly puts it, 

“A zero-day vulnerability is like a hidden trapdoor in your favorite app or operating system.”

The term “zero-day” refers to the amount of time that developers, cybersecurity experts, and other stakeholders have been aware of the security flaw. As the name implies, zero-day vulnerabilities are not being actively patched or repaired by developers because they aren’t aware that the gaps even exist. This blindspot allows hackers to tap into the vulnerability in order to steal and exfiltrate sensitive data, plant malware, and engage in other nefarious acts to fulfill a variety of different objectives. 

In the case of the current attack on the Oracle E-Business Suite, Cl0p has exploited two known zero-day vulnerabilities. Both affect Oracle EBS versions 12.2.3 through 12.2.14. 

• CVE-2025-61882: This CVE (common vulnerabilities and exposures) is a vulnerability in the BI Publisher Integration within Oracle’s E-Business Software. According to the UK’s National Cyber Security Centre, this CVE allows unauthenticated hackers to “send specially crafted HTTP requests to the affected component resulting in full system compromise.” CVE 2025-61882 has given Cl0p direct access to the targeted system. 

• CVE-2025-21884: This vulnerability focuses on the Runtime user interface (UI) of Oracle Configurator. According to the CISA, the CVE “allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator.” When executed successfully, CVE-2025-21884 can give hackers unauthorized access to critical or sensitive data. 

How Long Has the Cybercriminal Group Been Exploiting Oracle?

Cl0p’s ransomware attacks on Oracle E-Business Software date back to late September.

Over the past two months, the tentacles of the group’s efforts have gradually spread, and Cl0p now lists over 100 targeted organizations from the Oracle EBS attacks alone. Datasets for 77 companies, meanwhile, have been leaked on either torrent files or magnet links. 

What Companies Were Impacted by the Ransomware Attack?

To date, over 100 companies have allegedly been impacted by Cl0p’s Oracle EBS attacks. In a 24-hour period between November 20 and November 21, the group reportedly exploited breaches and exfiltrated data from 29 additional companies. These companies are headquartered everywhere from the U.S. to Japan to Saudi Arabia, and include several corporations valued at hundreds of billions of dollars. 

Companies Allegedly Exploited in the November 20 Ransomware Attack

‍

• Oracle
• Michelin
• Broadcom
• The Estée Lauder Companies
• Humana
• Fruit of the Loom
• Abbott Laboratories 
• Grupo Bimbo
• A10
• Envoy
• Canon
• Greater Cleveland RTA
• Frontrol
• MAS Holdings
• Trane Technologies
• Treet Corp
• University of Phoenix
• L&L Products
• Worley
• Mazda 
• Fleet Management Limited
• Alshaya Group
• Bechtel Corporation
• WellBiz Brands, Inc.
• Dooney & Bourke
• Greenball
• Sumitomo Chemical
• Aljomaih Automotive Company (AAC)

‍

What Is Being Done to Mitigate the Cyberattacks?

Dating back to early October, Oracle has issued two major security alerts notifying users of the vulnerabilities related to the Cl0p zero-day attacks. The first security alert addressed CVE-2025-61882. “This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password,” Oracle explained in its security alert. “Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.” The update included a patch availability document, instructing users on accessing and installing a security patch. 

Oracle sent a second security alert to address CEV-2025-61884. This alert also included patch availability documentation, and implored users to apply the updates as soon as possible to avoid a major security breach or other negative consequences. 

What Is Cl0p Threatening to Do If Companies Do Not Comply?

Based on the verbiage in the Cl0p email published by Mandiant, the Google-owned cybersecurity firm, Cl0p’s main source of leverage is the sensitive data it has exfiltrated from Oracle EBS. In the message, the cybercriminal group warns that companies who don’t issue the ransomware payment will see their customer data released, either through sales to “black actors,” publication on the group’s blog, or through torrent trackers. 

Mandiant also issued an important statement regarding the modus operandi of the cybercriminal group. The cybersecurity firm explained that in past campaigns carried out by Cl0p, “actors have typically waited several weeks before posting victim data.” This would suggest that the companies victimized by the group’s latest attack have some time before customer data is leaked in one of the formats Cl0p historically leverages.

See Your Supplier Vulnerabilities With Z2Data

For original equipment manufacturers (OEMs) and other businesses, supplier risk is a dynamic and unpredictable supply chain variable. As the Oracle zero-day vulnerability attacks reveal, businesses can suffer major consequences stemming from disruptions to their suppliers, and immediate recourse isn’t always possible. Over the past six weeks, Fortune 500 companies like Broadcom, Abbott Laboratories, and Estée Lauder have all reportedly suffered significant data breaches due to the vulnerability posed by their software supplier, Oracle.

Susceptibility to supplier vulnerabilities doesn’t need to be the status quo. Companies can utilize a supply chain risk management (SCRM) platform to fortify themselves against potential risks posed by their suppliers.

But susceptibility to supplier vulnerabilities doesn’t need to be the status quo. Companies can utilize a supply chain risk management (SCRM) platform to fortify themselves against potential risks posed by their suppliers. SCRM tool Z2Data maintains a comprehensive risk hub that contains risk assessments on over 100,000 worldwide suppliers. Each assessment rolls up 12 unique factors to arrive at a multidimensional evaluation of the threat posed by a specific supplier. Risk factors analyzed by Z2Data include:

• Sourcing Dependency
• Tariff Impact
• Trade Compliance
• Geopolitical Risk
• Manufacturing Operations
• Financial Health
• Bankruptcy Risk
• ESG Risk
• Cybersecurity
• Data Transparency
• Materials
• Electronic Supply Chain Risk

Using Z2Data’s Risk Hub, organizations have the visibility and intelligence to identify risks proactively, before they develop into irreversible supply chain crises. To learn more about Z2Data and its supplier risk analysis capabilities, schedule a free trial with one of our product experts.