Clop hackers caught exploiting Oracle zero-day bug to steal executives’ personal data

Oracle has taken swift action to address a newly discovered zero-day vulnerability in its widely used E-Business Suite, a critical software for numerous organizations. This security flaw is reportedly being exploited by the Clop hacking group to steal sensitive personal data from corporate executives. Rob Duhart, Oracle’s chief security officer, announced the urgent patch over the weekend, emphasizing the need for customers to implement the update immediately. The vulnerability, designated as CVE-2025-61882, allows attackers to exploit the system over a network without requiring any authentication, which raises significant security concerns. In an advisory, Oracle provided indicators of compromise to assist customers in detecting potential breaches, indicating that the hackers are actively targeting sensitive information. Given that thousands of businesses rely on the E-Business Suite for managing customer and employee data, the implications of this exploit could be extensive. The term 'zero-day' signifies that Oracle had no prior warning about the vulnerability before it was maliciously exploited. Duhart's recent update marks a shift from earlier communications, where he had noted that some executives had received extortion emails tied to previously patched issues from July, suggesting those threats had subsided. However, the discovery of this new zero-day vulnerability indicates that the threat remains active, with Clop hackers continuing to exploit Oracle's software. Reports of the extortion campaign targeting corporate leaders began surfacing last week. Google security researchers revealed that Clop, known for its ransomware attacks, initiated contact with Oracle executives around September 29, demanding payment to prevent the release of their personal information online. Charles Carmakal, Mandiant's chief technology officer, highlighted the severity of the situation, stating that the vulnerabilities in Oracle’s E-Business software are being leveraged in a large-scale campaign aimed at data theft and extortion. He noted that much of this exploitation occurred in August, following the release of the July patches. While Clop has been actively sending extortion emails since last Monday, Carmakal pointed out that not all potential victims have yet been approached by the hackers.