List of Oracle EBS Attack Victims May Be Growing Longer TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsOracle EBS Attack Victims May Be More Numerous Than ExpectedOracle EBS Attack Victims May Be More Numerous Than ExpectedbyAlexander CulafiOct 28, 20253 Min ReadVulnerabilities & ThreatsMemento Spyware Tied to Chrome Zero-Day AttacksMemento Spyware Tied to Chrome Zero-Day AttacksbyRob WrightOct 27, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLVulnerabilities & ThreatsApplication SecurityData PrivacyCyberattacks & Data BreachesNewsOracle EBS Attack Victims May Be More Numerous Than ExpectedOracle EBS Attack Victims May Be More Numerous Than ExpectedOracle EBS Attack Victims May Be More Numerous Than ExpectedNumerous organizations have been attacked via Oracle EBS zero-day CVE-2025-61882, and evidence suggests more like Schneider Electric could be on that list.Alexander Culafi, Senior News Writer, Dark ReadingOctober 28, 20253 Min ReadSource: Kristoffer Tripplaar via Alamy Stock PhotoThe list of enterprises targeted by recent Oracle EBS attacks may also include Schneider Electric, Pan American Steel, and Cox Enterprises. Earlier this month, the infamous ransomware-as-a-service gang Clop targeted customers affected by the critical Oracle E-Business Suite (EBS) zero-day vulnerability CVE-2025-61882. The flaw enables an unauthenticated attacker to remotely access and compromise Oracle Concurrent Processing. Exploiting this vulnerability can lead to follow-on activity such as data theft and possibly extortion. And in this case, early instances of extortion are part of the reason this zero-day came to light. Patches for CVE-2025-61882 are available. Per an advisory, Oracle strongly recommended vulnerable customers apply the relevant security updates as soon as possible.Clop is previously known for its attacks against a 2023 campaign against a zero-day in Progress Software's MOVEit Transfer managed file transfer (MFT) software, as well as attacks against Cleo customers. Beyond Clop, Google Threat Intelligence Group (GTIG) has suggested possible involvement from financially motivated threat group FIN11 (which has prior Clop association), but Google stopped short of a firm attribution, pending more concrete evidence. Oracle EBS Victim List ExpandsRelated:Memento Spyware Tied to Chrome Zero-Day AttacksIt is unclear how many victims have been compromised as a result of Clop's campaign against Oracle EBS customers, though over the course of the month a few, such as Harvard University, have confirmed attacks. Based on Clop's data leak site and researcher reports, industry giants like Schneider Electric, Cox Enterprises, and Pan American Silver may all be affected. On X, cybersecurity analyst and researcher Dominic Alvieri wrote that energy management vendor Schneider Electric SE had its stolen data leaked by FIN11 via Clop Ransomware. Alvieri similarly said publicly traded mining company Pan American Silver and communications giant Cox Enterprises had been targeted by Clop as part of CVE-2025-61882 attacks; both companies have been added to Clop's leak site.Schneider Electric is unfortunately no stranger to threat actors claiming cyberattacks against them. Clop previously claimed an attack against the French multinational company as part of the MOVEit attacks in 2023, while a group known as Hellcat claimed a breach of Schneider last year. Meanwhile, Cox Enterprises subsidiary Cox Media Group was previously targeted by hackers in 2021. Dark Reading contacted all three companies for comment, though none had responded at press time. Related:Attackers Sell Turnkey Remote Access Trojan 'Atroposia'An Uncertain Future for Oracle EBS FalloutThe exact blast radius of this campaign is difficult to determine, as Clop (which fundamentally cannot be trusted on its own) is still adding names to its data leak site and only a few organizations such as Harvard and Envoy Air (an American Airlines subsidiary) have disclosed attacks. In the meantime, any organization that has not yet patched their Oracle EBS instances should immediately do so. The FBI Cyber Division put it bluntly in a post to LinkedIn earlier this month. "The vulnerability allows unauthenticated attackers to execute code remotely over HTTP without user interaction. In plain terms: if your EBS environment is reachable on the network, and especially if it’s internet facing, it’s at risk for full compromise," the post read. "This is 'stop-what-you're-doing and patch immediately' vulnerability. The bad guys are likely already exploiting it in the wild, and the race is on before others identify and target vulnerable systems."About the AuthorAlexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels.See more from Alexander CulafiMore InsightsIndustry ReportsMiercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsHow Enterprises Are Harnessing Emerging Technologies in CybersecurityWorldwide Security Information and Event Management Forecast, 2025--2029: Continued Payment for One's SIEMsAccess More ResearchWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedThu, Oct 23, 2025 at 11am ESTMore WebinarsWhite PapersThe NHI Buyers GuideThe AI Security GuideTop 10 Identity-Centric Security Risks of Autonomous AI AgentsModern DevSecOps: 6 Best Practices for AI-Accelerated SecurityThriving in the Age of AI: 6 Best Practices for Secure InnovationExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

Oracle E‑Business Suite (EBS) has become the focus of a significant zero‑day exploitation campaign identified as CVE‑2025‑61882. The flaw lies in Oracle’s concurrent processing component, allowing an unauthenticated attacker to remotely gain code execution over HTTP without user interaction. Once compromised, attackers can steal data and potentially levy extortion demands, a pattern that has already emerged in the field. Oracle has issued security updates for the vulnerability and strongly urges all affected customers to apply the patches immediately, stressing that the risk is especially acute for systems exposed to the internet.

The ransomware‑as‑a‑service group Clop has been the primary actor exploiting this vulnerability. Clop’s modus operandi includes leaking stolen data on a dedicated website after a successful campaign, a tactic that has been used in previous high‑profile attacks such as the 2023 MOVEit Transfer zero‑day incident. In the current Oracle EBS context, Clop’s data leak site lists several large enterprises as victims, including the mining firm Pan American Silver, the communications conglomerate Cox Enterprises, and the energy‑management vendor Schneider Electric. Other organizations that have publicly confirmed successful attacks are Harvard University and Envoy Air, a subsidiary of American Airlines. The FBI’s Cyber Division underscored the severity of the situation in a LinkedIn post, describing the vulnerability as a “stop‑what‑you’re‑doing and patch immediately” incident and warning that attackers are already active in the wild.

While Clop is the most evident threat actor, Google Threat Intelligence Group (GTIG) has suggested possible involvement of the financially motivated group FIN11, which shares a historical association with Clop but has not been conclusively linked to the current attacks. Clop’s data leak platform continues to expand its victim list, further complicating the assessment of the campaign’s full reach. Despite the growing evidence, the exact number of compromised customers remains uncertain because of limited disclosures.

Schneider Electric’s security history underscores the broader context of repeated cyber pressure. The company has faced past claims of breach from Clop during the 2023 MOVEit attacks, and a separate group named Hellcat previously alleged a breach last year. Cox Enterprises’ subsidiary Cox Media Group experienced a hacking incident in 2021. Even though contact was made with these organizations for comment, none responded publicly at the time of writing.

Given the ongoing uncertainty surrounding the total blast radius, any unpatched Oracle EBS environment, particularly those reachable internally or externally over HTTP, is considered a high‑risk target. The vulnerability’s capacity for remote code execution without any user interaction means that once a system is exposed, full compromise is possible. The urgency expressed by both the FBI and Oracle underscores that organizations should not delay patch deployment, as the pace of exploitation outstrips the pace of detection and reporting.

In summary, the recent CVE‑2025‑61882 zero‑day exploitation by Clop has led to confirmed breaches at prominent organizations—including Schneider Electric, Pan American Silver, Cox Enterprises, Harvard University, and Envoy Air—prompting Oracle to release critical patches. The combination of high‑impact remote code execution, the extensive list of affected enterprises, and the active threat landscape necessitates immediate remedial action for all users of Oracle EBS. Alexander Culafi of Dark Reading reports on these developments, emphasizing that the list of victims may continue to grow as attackers expand their leak database.