I would like to share some knowledge that is pretty serious. Clop, a ransomware group, may have gained access to Oracle E-Business Suite via a new zero-day vulnerability (a 0-day). My immediate thought was, “How did they even do that?”
Clop has been using this vulnerability since August 2025, in combination with gaining access to a host of company data and demanding money from companies. Additionally, the security team at Google said that Clop had emailed the head of companies and discussed their files that they had allegedly stolen.
They also use fileless malware, meaning that the attack does not install traditional files. Instead, they hide small programs inside Java processes, including:
Oracle called for customers to:
What makes this scarier is that the exploit code is now in the wild, meaning the chances of other hackers trying the same attack is higher.
What We Know
In a report, the security researchers have communicated that the vulnerability (CVE-2025-61882) is very dangerous because it allows a hacker to log into Oracle E-Business Suite without any login. Essentially an attacker can walk in like they live there.Clop has been using this vulnerability since August 2025, in combination with gaining access to a host of company data and demanding money from companies. Additionally, the security team at Google said that Clop had emailed the head of companies and discussed their files that they had allegedly stolen.
How the Hack Works
The attack, as described by experts, came in tiers. Clop managed to use this 0-day vulnerability along with additional methods they employed to gain full control.They also use fileless malware, meaning that the attack does not install traditional files. Instead, they hide small programs inside Java processes, including:
- GOLDVEIN.JAVA
- SAGEWAVE
- SKYLANE
Oracle’s Response
Oracle did not remain silent. They aggressively issued an emergency patch to fix the vulnerability. This patch is applicable to Oracle E-Business Suite versions 12.2.3 to 12.2.14.Oracle called for customers to:
- Install security updates
- Install the new emergency patch
- Investigate their systems using indicators of compromise (IOCs) which indicate a possible presence of a hacker
Why This Is a Big Deal
This is not a small story. This is a zero-day attack, meaning no one knew about this bug until the hacker used it. Companies use Oracle E-Business Suite for important matters like finance, and HR, supply chain, and managing customers. If hackers get in there, they can do a lot of damage.What makes this scarier is that the exploit code is now in the wild, meaning the chances of other hackers trying the same attack is higher.
