Back to resource center

How Oracle E-Business Suite Clients Can Stay Ahead of Evolving Cl0p Ransomware Threats

Gabe Dimeglio
Gabe Dimeglio
CISO, SVP & GM Rimini Protect™ and Watch Solutions
4 min read
How Oracle E-Business Suite Clients Can Stay Ahead of Evolving Cl0p Ransomware Threats

A wave of sophisticated cyberattacks is targeting organizations running Oracle E-Business Suite (EBS). The Cl0p ransomware group, known for high-impact extortion campaigns, has exploited existing and newly discovered vulnerabilities to steal sensitive data from dozens of organizations — including The Washington Post, Harvard University, Envoy Air and major industrial firms like Schneider Electric and Emerson. The attacks have resulted in the exposure of personal, financial and operational data, with ransom demands and threats of public data leaks.[1]

What is Cl0p?

Clop (also written as Cl0p or cl0p) is a type of ransomware that encrypts victims’ files and appends the .clop extension to them. A distinctive feature of Clop is the phrase “Don’t Worry C|0P,” which is included in its ransom notes. While Clop is a variant of CryptoMix ransomware, it possesses additional capabilities. Clop was first identified by security researchers in February 2019 following a large spear-phishing attack. It remains a significant cybersecurity threat to organizations of all sizes, as it corrupts files and demands ransom payments.[2] Several sites, including RansomLook,[3] monitor Cl0p’s activity and defining attributes.

Development of the latest Cl0p attack on Oracle EBS

  • On October 2nd, based on threat intelligence from Google Threat Intelligence Group (GTIG)/Mandiant[4], Halcyon[5] and other sources[6], Rimini Protect™ security services began tracking information that threat actors were actively exploiting previously known vulnerabilities in Oracle EBS.
  • These sources revealed that multiple organizations had received extortion emails from the Cl0p ransomware group, claiming they had stolen sensitive data from Oracle EBS deployments and instructing executives to contact an email address to receive evidence of the breach and payment instructions.[7] Within one day, the Rimini Protect™ team distributed its initial Zero-Day Advisory to clients.
  • Oracle acknowledged the threat and, on October 4th, announced a new vulnerability in E-Business Suite (CVE-2025-61882).[8] Two days later, CISA included this vulnerability in its Known Exploited Vulnerabilities Catalog (KEV).[9]
  • Then, on October 11th, Oracle identified and resolved another E-Business Suite vulnerability (CVE-2025-61884) through an out-of-band update which was added to the KEV on October 20.[10]
  • As of November 13th, 2025, organizations continue to experience system compromises due to vulnerabilities in Oracle EBS. Incident of Compromise (IOC) reports and public threat intelligence highlight the recent use of a malicious script named server.py which listens for connections for compromised servers and acts as a command-and-control (C2) server to receive stolen data or send attacker commands.[11]
  • On November 13th, 2025 Rimini Street released an updated Security Vulnerability Analysis Report (SVAR) to proactively provide clients with the latest security guidance and advanced solutions, helping them to reduce their exposure to ransomware threats.
Rimini Street has made the SVAR detailing the threats posed by Cl0p available.
Request your report

 

Identifying and addressing the evolving threat

Cl0p’s hacking campaign is particularly challenging to defend against because it employs multiple attack methods rather than relying on a single vulnerability. In addition to providing ongoing security guidance in updated SVARs, we also provide advanced solutions to help mitigate these evolving threats. The typical sequence of these attacks includes:[12]

  • Initial Access: Attackers may gain entry by exploiting software vulnerabilities or through social engineering tactics.
  • Lateral Movement: Once inside, attackers explore the ecosystem to identify valuable targets.
  • Data Exfiltration: Sensitive data is stolen or transferred off-site for ransom purposes.
  • Ransom Demand: Victims discover the breach when attackers leave files on compromised servers.
  • Extortion: Attackers threaten to publicly leak stolen data if their ransom demands are not met.

Once attackers infiltrate ERP systems like Oracle EBS, they obtain privileged access to core business records and workflows which are quickly stolen before the breach is detected.

Rimini Street has analyzed a recently published proof of concept (PoC)[13] for one of these vulnerabilities demonstrating how attackers can exploit the Oracle EBS vulnerability via CVE-2025-61882.

Our analysis revealed that successfully exploiting this vulnerability requires coordinating five separate weaknesses within the system. For a detailed breakdown of these steps, please refer to the Security Vulnerability Analysis Report (SVAR) published on November 13, 2025 (initial version distributed to clients on October 3rd, 2025).

It’s important to keep in mind that this is only one of many vulnerabilities that Cl0p is using in its attacks, thus making this attacker group difficult to defend against.

Staying one step ahead

In July 2025, Rimini Street released a Security Vulnerability Analysis Report (SVAR) that proactively identified and provided mitigations for vulnerabilities in Oracle EBS — several of which are believed to be involved in CI0p’s exploitation tactics. This early guidance enabled our clients to harden their environments before the threat became widespread, and also provided assurances to clients leveraging our Rimini Protect™ services and solutions that the threat was properly mitigated.

Following the emergence of CI0p’s campaign, we distributed multiple updated SVARs with threat intelligence containing mitigation options for the vulnerabilities known to date to 1,816 contacts across more than 300 Oracle EBS clients, offering updated hardening strategies, threat indicators and configuration recommendations as new information has emerged.

As the attack pattern evolved — from opportunistic exploitation to coordinated lateral movement and executive-level extortion — the additional SVARs help our clients remain protected with the latest threat intelligence as applied to our mitigations and enhanced hardening guidance.

Advanced security with Rimini Protect™

Rimini Street takes a strategic and proactive approach to risk-based vulnerability management for clients leveraging our Rimini Protect™ services, tailoring solutions to each client’s unique environment to help reduce exposure to security risks. We offer several options to mitigate the threats currently posed by the Cl0p group.

  • Leverage Advanced Application and Middleware Security (AAMS): AAMS clients are protected against currently known exploits. Ensure AAMS is correctly configured, with CSRF, File Write, File Exec and Network Traversal rules enabled and set to Protect mode. This helps safeguard against known exploits.
  • Leverage Advanced Database Security Suite (ADSS): When configured according to Rimini Street guidance, Rimini Protect™ ADSS monitors database activity providing alerts for suspicious activity and preventing data from being exfiltrated via the tactics currently used by the Cl0p threat group.
  • Follow Mitigation Guidance in SVARs: Refer to the Security Vulnerability Analysis Reports (SVARs) for mitigation strategies covering additional vulnerabilities that may be used by Cl0p, including CVE-2025-61882, CVE-2025-30746, CVE-2025-30745, CVE-2025-50107, CVE-2025-21587, CVE-2025-39428, and CVE-2025-21500.

Stay Informed: As attack methods continue to evolve, Rimini Street will continue to publish updated vulnerability guidance to help clients remain protected. For this campaign, Rimini Street has released three Security Vulnerability Analysis Reports (SVARs) so far.

Future Readiness: Staying protected against evolving threats

As threat groups like Cl0p continue to evolve their tactics, organizations running core ERP systems including Oracle EBS need continuous proactive visibility, protection and a strategic security partner. Rimini Protect™ delivers that stability through advanced hardening, proactive SVAR updates and threat-intelligence mitigation guidance, we help clients stay protected long before an exploit becomes widespread.

By combining deep application and database expertise with actionable security intelligence, Rimini Street supports clients in strengthening their environments against today’s complex attack tactics and prepares them for tomorrow’s challenging threats.

Let’s connect. Contact us today to schedule a security briefing. To request a copy of our latest SVAR for threats posed by the Cl0p attacker group, please click here.
Table of contents
You may also like

Gabe Dimeglio

CISO, SVP & GM Rimini Protect™ and Watch Solutions

Mr. Dimeglio serves as CISO, SVP & GM for Rimini Protect™ and Rimini Watch™ solutions. In this role, he is responsible for providing strategic leadership and management of Rimini Street’s internal information security and compliance team and programs, the Rimini Protect client-facing security services and solutions, and the Rimini Watch observability solution.

LinkedIn

More from Gabe Dimeglio

Easily addressing New MITRE ATT&CK® Updates for VMware ESXi
Blog
Easily addressing New MITRE ATT&CK® Updates for VMware ESXi
Gabe Dimeglio
Gabe Dimeglio
CISO, SVP & GM Rimini Protect™ and Watch Solutions
3 min read

Security teams are understandably concerned about the safety of their virtualized environments with the recent swell of attacks utilizing vulnerabilities in VMware.[1] These constant threats have prompted global alerts concerning gaps in hypervisor security. In response, the MITRE Corporation recently updated its MITRE ATT&CK® framework to include specific guidelines for VMware ESXi that VMware licensees […]

Read Blog
No One Has Time for Complicated VMware Security Updates!
Blog
No One Has Time for Complicated VMware Security Updates!
Gabe Dimeglio
Gabe Dimeglio
CISO, SVP & GM Rimini Protect™ and Watch Solutions
2 min read

For VMware perpetual licensees without Broadcom support, installing security patches has become more challenging.   Last year, Broadcom assured vSphere customers that security patches for all supported versions would be made available to all customers — even those with expired support contracts.[1] However, on April 8, 2025, the company announced that updates for VMware vSphere ESXi […]

Read Blog
Rimini Street Makes Security Mitigations Publicly Available For Critical SAP NetWeaver Zero-Day Exploit
Blog
Rimini Street Makes Security Mitigations Publicly Available For Critical SAP NetWeaver Zero-Day Exploit
Gabe Dimeglio
Gabe Dimeglio
CISO, SVP & GM Rimini Protect™ and Watch Solutions
2 min read

On Thursday of last week, Rimini Protect™ security services identified that a critical vulnerability in SAP NetWeaver was actively exploited by threat actors. This exploit enables attackers to compromise systems without requiring authentication and then allows for lateral movement to carry out other malicious activities, such as data exfiltration and ransomware attacks. The CVSS score […]

Read Blog
Staying one step ahead of VMware vulnerabilities with proactive protection from Rimini Protect™
Blog
Staying one step ahead of VMware vulnerabilities with proactive protection from Rimini Protect™
Gabe Dimeglio
Gabe Dimeglio
CISO, SVP & GM Rimini Protect™ and Watch Solutions
3 min read

March 4, 2025 was a day filled with uncertainty for VMware clients when the US government agency CISA (Cybersecurity and Infrastructure Security Agency) announced that three VMware ESXi vulnerabilities were being added to the Known Exploited Vulnerabilities (KEV) list.[1]  Two of these vulnerabilities were ranked as “severe” and one as “critical” based on their severity […]

Read Blog
A Bug’s Tale: The Lifecycle of a Software Bug: From Discovery to Defense  
Blog
A Bug’s Tale: The Lifecycle of a Software Bug: From Discovery to Defense  
Gabe Dimeglio
Gabe Dimeglio
CISO, SVP & GM Rimini Protect™ and Watch Solutions
3 min read

Software bugs: Where do they come from? How are they exterminated? You have cybersecurity questions, Rimini Street has answers. A software bug, commonly referred to as a vulnerability, is often present in the software when it’s first written. These flaws can range from minor glitches to major security gaps that open the door to cyberattacks. […]

Read Blog
Terminating Threats: IT Security Expertise in Action
Blog
Terminating Threats: IT Security Expertise in Action
Gabe Dimeglio
Gabe Dimeglio
CISO, SVP & GM Rimini Protect™ and Watch Solutions
3 min read

Gabe Dimeglio is the GVP & GM of Rimini Protect™ with more than 20 years of experience in IT and security for private and public-sector organizations and expertise in strategic consulting services, risk analysis/risk mitigation and compliance.   In my role leading the development and delivery of Rimini Protect™, I’ve always been focused on addressing the […]

Read Blog
Maintain Enterprise Vigilance by Focusing on Critical Cybersecurity Trends
Blog
Maintain Enterprise Vigilance by Focusing on Critical Cybersecurity Trends
Gabe Dimeglio
Gabe Dimeglio
CISO, SVP & GM Rimini Protect™ and Watch Solutions
3 min read

The constant barrage of alerts and news of cybersecurity threats and breaches can be overwhelming to the point of exhaustion, which raises further risk that overwhelmed IT teams are unable to focus on specific vulnerabilities in their enterprise. That’s why it’s important to make sure somebody is tasked with vulnerability management – continually evaluating the […]

Read Blog