Cybercriminals have publicly named nearly 30 organizations allegedly compromised in a recent campaign targeting Oracle's E-Business Suite customers, with major companies including Logitech, The Washington Post, and Cox Enterprises appearing on the Cl0p ransomware leak site.
The Cl0p ransomware group has listed 29 alleged victims of a campaign targeting customers of Oracle's E-Business Suite (EBS) enterprise resource planning solutions. The campaign, believed to be conducted by the profit-driven threat actor FIN11, involved extortion emails sent to executives at dozens of organizations in late September. Organizations named include Harvard University, South Africa's Wits University, American Airlines subsidiary Envoy Air, The Washington Post, Schneider Electric, Emerson, Logitech, Cox Enterprises, Pan American Silver, LKQ Corporation, and Copeland. Other alleged victims span the mining, professional services, wastewater, construction, insurance, financial, manufacturing, transportation, technology, automotive, energy, and HVAC sectors. The cybercriminals have leaked data allegedly stolen from 18 victims, with some leaks containing hundreds of gigabytes or even several terabytes of files.
Cl0p was previously linked by the cybersecurity community to FIN11, and the decision to use it as the public-facing entity for this campaign was likely motivated by its prior involvement in similar high-impact campaigns. The ransomware group has conducted major attacks targeting customers of Cleo, MOVEit, and Fortra file transfer products, establishing a pattern of exploiting vulnerabilities in widely-used enterprise software to impact multiple organizations simultaneously.
Attack details:
Victim confirmation status:
Data leaked:
Charles Carmakal, CTO of Mandiant, said, "It is critical to note that while the tactics align with an extortion motive and the actor is explicitly claiming this connection, GTIG does not currently have sufficient evidence to definitively assess the veracity of these claims."
Carmakal further stated, "Attribution in the financially motivated cybercrime space is often complex, and actors frequently mimic established groups like Clop to increase leverage and pressure on victims."
This attack shows the risk that comes with enterprise software vulnerabilities, where a single security flaw can compromise multiple organizations across multiple industries. The fact that CVE-2025-61882 was exploited as a zero-day for at least two months before patches became available reveals a window of vulnerability that threat actors actively monitored and exploited. The attackers' strategic use of the Cl0p brand, which has established credibility through previous mass-exploitation campaigns like MOVEit, shows how ransomware groups are building reputations that amplify the pressure on victims to comply with extortion demands. For organizations still investigating or remaining silent, this attack displays that delayed disclosure doesn't prevent public exposure when attackers control the narrative through leak sites.
Organizations using Oracle EBS should verify they have applied patches for CVE-2025-61882 and CVE-2025-61884, conduct forensic investigations to determine if they were compromised during the zero-day exploitation window, and prepare incident response plans that account for public disclosure by attackers. Organizations need defense-in-depth approaches that can detect exploitation attempts even when zero-day vulnerabilities exist.
They exploited zero-day vulnerabilities in Oracle EBS that allowed remote access without authentication.
Both are vulnerabilities in Oracle EBS that can expose sensitive data if left unpatched.
CVE-2025-61882 was reportedly exploited for at least two months prior to patch release.
Leaked data included large volumes of files likely originating from Oracle environments.