Oracle Now Says ‘Critical’ Zero-Day Flaw Behind Data Extortion Attacks, Releases Patch

The disclosure follows reports that the cybercriminal group Clop has been extorting a significant number of E-Business Suite customers.

Oracle is now linking a widespread data extortion campaign targeting E-Business Suite customers to a zero-day vulnerability, with fixes released to address the critical-severity flaw, in contrast to its previous contention that the attacks resulted from unpatched known vulnerabilities.

In an advisory, the tech giant said it “strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.” The cybercriminal group Clop has been extorting E-Business Suite customers over the theft of potentially sensitive data, researchers at Google Cloud-owned Mandiant and the Google Threat Intelligence Group have said.

[Related: 10 Major Cyberattacks And Data Breaches In 2025 (So Far)]

CRN has reached out to Oracle for further comment.

The new Oracle disclosure amends the company’s previous statement that the data theft attacks—reported by Google and Mandiant researchers, rather than Oracle itself—were the result of previously disclosed vulnerabilities. In a statement posted last Thursday, Oracle suggested that the attacks were enabled by customers neglecting to deploy patches that had been released in July.

Now, Oracle has linked the reported data extortion campaign to a vulnerability (tracked as CVE-2025-61882) that can be exploited by a remote user without authentication. The vulnerability has received a rating of “critical,” with a severity score of 9.8 out of 10.0.

The flaw affects Oracle E-Business Suite, versions 12.2.3-12.2.14, according to the company.

The new patches “provide updates against additional potential exploitation that were discovered during our investigation,” Oracle Chief Security Officer Rob Duhart said in a revision to the company'’ statement originally posted online last week.

Duhart’s statement and the Oracle advisory do not mention Clop, which researchers at Mandiant and the Google Threat Intelligence Group have linked to the “high-volume email campaign” targeting Oracle E-Business Suite customers.

The extortion emails have been sent to executives at a number of organizations, “claiming to have stolen sensitive data from their Oracle E-Business Suite,” according to a statement from Mandiant and Google provided to CRN last week.

Mandiat CTO Charles Carmakal confirmed to BleepingComputer that the zero-day vulnerability disclosed by Oracle is believed to have been behind the Clop attacks, the media outlet reported Sunday.

Clop previously claimed responsibility for a series of major data theft attacks, including widely felt attacks targeting MOVEit customers in 2023.