Cl0p Exploits Oracle EBS RCE CVE-2025-61882 for Extortion

October 17, 2025

Executive Summary

A critical unauthenticated remote code execution (RCE) vulnerability in Oracle E-Business Suite, tracked as CVE-2025-61882, was mass-exploited in mid-2025 by the Cl0p extortion ecosystem. The campaign targeted the Oracle E-Business Suite (EBS) product, resulting in data theft and extortion attempts against dozens to potentially over 100 organizations. Oracle issued emergency patches and advisories, but attackers rapidly pivoted to exploit follow-on vulnerabilities and leveraged sophisticated tradecraft, including custom Java malware and web shells.

Technical Details of the Exploit

Vulnerability: CVE-2025-61882 is an unauthenticated, network-reachable RCE in the BI Publisher Integration component of Oracle EBS. Exploitation allows attackers to execute arbitrary code remotely, with a CVSS score of 9.8, impacting confidentiality, integrity, and availability.
Attack Surface: The primary target was Oracle E-Business Suite (EBS) versions 12.2.3–12.2.14, specifically the BI Publisher and Concurrent Processing modules.
Exploitation Path: Attackers leveraged SSRF, XSLT injection, and crafted HTTP requests to endpoints such as /OA_HTML/OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG, /OA_HTML/configurator/UiServlet, and /OA_HTML/SyncServlet.

Threat Actor Tradecraft

Attribution: The campaign is attributed to the Cl0p extortion ecosystem, with operational links to GRACEFUL SPIDER.
Initial Access: Spearphishing emails with malicious attachments (T1566.001) were used to lure victims, followed by user execution (T1204).
Payloads: Attackers deployed custom Java malware, notably GOLDVEIN.JAVA and its downloader variant GOLDVEIN.JAVA downloader, as well as web shells such as FileUtils.java and Log4jConfigQpgsubFilter.java.
Persistence: The SAGE* infection chain (SAGEGIFT, SAGELEAF, SAGEWAVE) enabled long-term access and remote command execution.

Tactic	Technique Name	Technique ID	Description / Example
Initial Access	Exploit Public-Facing Application	T1190	Unauthenticated RCE via CVE-2025-61882 (BI Publisher Integration)
Execution	Command and Scripting Interpreter	T1059	OS command execution via Java Runtime, XSLT injection
Persistence	Web Shell	T1505.003	Deployment of custom Java web shells (`FileUtils.java`, `Log4jConfigQpgsubFilter.java`)
Persistence	Scheduled Task/Job	T1053	Use of cron jobs or scheduled tasks for persistence
Persistence	IIS Components	T1505.004	Malicious components/templates hosted by the app server (e.g., EBS web tier/IIS-style components)
Privilege Escalation	Exploitation for Privilege Escalation	T1068	Chaining exploits to escalate privileges within EBS
Defense Evasion	Modify Registry	T1112	Modifying EBS/server configuration or templates to evade detection
Discovery	System Network Connections Discovery	T1049	Recon commands: `netstat`, `arp`, `ifconfig`, etc.
Discovery	Account Discovery	T1087	Enumerating EBS database users, application accounts
Discovery	Network Service Scanning	T1046	Scanning for open ports/services
Collection	Data Staged	T1074	Staging BI Publisher reports, compressing data for exfiltration
Collection	Email Collection	T1114	Harvesting mailbox contents (e.g., executive inboxes) to support extortion
Collection	Automated Collection	T1119	Automated export of EBS data via malicious templates
Exfiltration	Exfiltration Over Web Service	T1567	Data exfiltration via outbound HTTP/S to attacker-controlled web services
Command and Control	Application Layer Protocol: Web Protocols	T1071.001	C2 over HTTP/S (Java payloads beaconing to attacker IPs/domains)
Impact	Financial Theft (Extortion)	T1657	Threats/negotiations to extract payment following data theft
Impact	Data Encrypted for Impact	T1486	(Not observed in this campaign; typical for Cl0p)
Impact	Data Manipulation	T1565	Tampering with EBS templates and reports

Notes:

Not all techniques may be present in every incident, but these are the core TTPs observed and reported across multiple sources.
The campaign focused on data theft and extortion rather than encryption, so T1486 (Data Encrypted for Impact) is less relevant here.
Extortion (T1657) is a newer technique in MITRE, reflecting the use of email for ransom demands.

Indicators of Compromise (IOCs) & Infrastructure

Malicious IPs: The following IP addresses were confirmed as part of the attacker infrastructure:
- 200.107.207.26 (SSH service exposed, DATAHOME S.A., Moscow)
- 185.181.60.11
- 161.97.99.49
- 162.55.17.215
- 104.194.11.200
Malicious Domain: oa[.]88tech[.}me (multiple AV detections, linked to C2 and payload delivery)
Exploited Endpoints: Requests to /OA_HTML/OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG, /OA_HTML/configurator/UiServlet, and /OA_HTML/SyncServlet are high-fidelity indicators of compromise.
Malware Hashes: Exploit script hash aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121.

Detection & Response Recommendations

Patch Immediately: Apply Oracle’s emergency patch for CVE-2025-61882 and monitor for advisories on follow-on vulnerabilities.
IOC Monitoring: Block and monitor connections to confirmed malicious IPs and domains, including 200.107.207.26 and oa[.]88tech[.}me

Web & Host Telemetry: Hunt for anomalous HTTP POSTs to BI Publisher endpoints, suspicious file creation in $INST_TOP/apps/*/oacore/, and process execution of archiver/network tools from EBS app servers.
Malware & Web Shells: Scan for presence of GOLDVEIN.JAVA, GOLDVEIN.JAVA downloader, and web shells FileUtils.java and Log4jConfigQpgsubFilter.java.
Forensics: Preserve logs and memory images for at least 90 days; review for evidence of template tampering and unauthorized concurrent program creation.

Strategic Lessons for Oracle EBS Owners

Reduce Exposure: Treat EBS as high-risk; minimize internet-facing endpoints, enforce WAF, and disable nonessential modules.
Rapid Patch Playbook: Prepare for emergency patching and pre-approved maintenance windows, as attackers exploit zero-days within hours of disclosure.
Continuous Monitoring: Track Oracle advisories and threat intelligence feeds for new vulnerabilities and attacker pivots.

Infrastructure Exposure & Victimology

Exposed Infrastructure: Of four IPs queried, only 200.107.207.26 returned data, showing an SSH service in Moscow, Russian Federation, potentially supporting lateral movement or persistence.
Victim Scope: At least 63 entities were discovered, with 40 prioritized for reporting. Impacted organizations span multiple sectors, with some (e.g., Harvard University) publicly acknowledging review and impact.

Conclusion

This campaign demonstrates the operational maturity and agility of the Cl0p extortion ecosystem, leveraging a critical zero-day in Oracle E-Business Suite (EBS) for mass exploitation, data theft, and extortion. The technical sophistication—custom Java payloads, web shells, and multi-stage persistence—combined with rapid victim outreach, underscores the need for proactive patching, robust monitoring, and strategic risk reduction for all EBS owners.

If you require a condensed incident brief, a MITRE ATT&CK map, or SIEM-tailored detection rules, please request further customization.

References & Source Material

Oracle Security Alert for CVE-2025-61882
Google Cloud Threat Intelligence
CrowdStrike Campaign Analysis
Rapid7 Technical Blog
Tenable FAQ
Oligo Security Blog

‍

Deep Dive Analysis: Oracle E-Business Suite (EBS) Zero-Day Campaign Attributed to Cl0p Extortion Ecosystem