Oracle E‑Business Suite Zero‑Day Sparks Months‑Long Extortion Wave, With More Than 100 Orgs Hit

The email that arrived in an airline executive’s inbox in early January did not sound hypothetical.

The sender listed specific purchase orders, internal vendor IDs and invoice totals pulled from the company’s Oracle E‑Business Suite system, the enterprise software that runs core finance and procurement operations. The message demanded a multimillion‑dollar payment and warned that if the company did not respond, the stolen records would be posted online.

The airline had already patched its Oracle systems months earlier, after emergency alerts went out in October. But the extortion attempt was new. So were the similar messages that, according to security researchers and corporate disclosures, are still landing in inboxes at universities, manufacturers and public agencies around the world nearly half a year after attackers first slipped into Oracle’s software.

Those ransom notes trace back to a single software flaw, a zero‑day vulnerability in Oracle’s E‑Business Suite (EBS), that security firms and government agencies now say may have allowed intruders to quietly copy sensitive data from more than 100 organizations before anyone knew the bug existed.

Zero‑day in the corporate back office

The vulnerability, tracked as CVE‑2025‑61882, affects Oracle E‑Business Suite’s Concurrent Processing and BI Publisher integration components, versions 12.2.3 through 12.2.14. Oracle has described it as remotely exploitable without authentication, meaning attackers can take control of a vulnerable system over a network without needing a username and password.

On the widely used CVSS severity scale, Oracle and other vendors rated the bug 9.8 out of 10. In practical terms, it allowed an attacker who could reach an exposed EBS web interface over HTTP to run code of their choosing on the application server.

E‑Business Suite is the backbone of many large organizations’ finance, human resources, payroll, supply chain and procurement operations. While Oracle now sells cloud‑based ERP products, EBS remains widely deployed as on‑premises software in data centers and hosting facilities.

“When you compromise E‑Business Suite, you are in the heart of the organization,” said a senior incident responder at a major security firm who has worked on several of the breaches and spoke on condition of anonymity because clients have not been publicly named. “You see vendors, contracts, payroll. It’s not just files; it’s the system of record.”

Quiet intrusions, then a flood of ransom emails

Threat analysts at Mandiant and Google Cloud’s Threat Intelligence team reported that they observed suspicious activity in some EBS environments beginning July 10, 2025. By Aug. 9, they said, an attacker was exploiting what “may be CVE‑2025‑61882” as a zero‑day—meaning the flaw was being used before a patch was available.

According to those firms, the attackers used a specially crafted web request to trigger the vulnerability and gain remote code execution. They then deployed a custom, multistage Java implant framework that stored malicious payloads inside the Oracle database itself, disguised as BI Publisher templates in tables such as XDO_TEMPLATES_B and XDO_LOBS.

From there, the compromised systems connected out to command‑and‑control servers to download secondary tools and exfiltrate data. In some cases, Mandiant said, the intruders removed “a significant amount of data” before any ransomware or destructive action was attempted.

The public did not learn of the intrusion campaign until late September. On Sept. 29, 2025, security teams began seeing what Google later described as a “high‑volume” email extortion campaign. Executives at multiple organizations received messages claiming that attackers had breached their Oracle EBS instances and stolen sensitive data, with threats to publish it unless a ransom was paid.

To make the emails harder to filter, the attackers used hundreds or thousands of already compromised third‑party email accounts obtained from infostealer malware logs, researchers said.

Patches arrive, but damage lingers

As reports of the extortion emails spread, Oracle initially said the attackers “may have exploited vulnerabilities that were patched in July 2025” and urged customers to apply the company’s regular quarterly updates. On Oct. 4, 2025, Oracle issued an out‑of‑band security alert disclosing CVE‑2025‑61882 as a distinct, critical EBS flaw and urged customers to apply updates without delay.

On Oct. 11, Oracle followed with an alert on a second EBS issue, CVE‑2025‑61884. Both fixes were later folded into the company’s Oct. 21 Critical Patch Update, which included 374 security patches across Oracle products. In that advisory, Oracle reiterated that it “continues to receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches,” warning that many successful attacks occur when patches have not been applied.

Law enforcement echoed the urgency. In a message amplified in an advisory to U.S. hospitals, FBI Cyber Division Assistant Director Brett Leatherman called CVE‑2025‑61882 a “stop‑what‑you’re‑doing and patch immediately” vulnerability.

Despite those warnings, patching EBS is not a one‑click process. The emergency fix for CVE‑2025‑61882 requires that customers first install the October 2023 Critical Patch Update, and many large EBS deployments are heavily customized, complicating testing and maintenance windows.

“These systems run payroll, they run billing, they run supply chains,” said a chief information security officer at a North American manufacturer that uses EBS and asked not to be identified. “You can’t just take them down in the middle of the quarter without weeks of planning, even if you want to.”

By the time patches were broadly available, intruders had already had weeks—and in some cases months—to move within victim networks and copy data.

More than 100 victims across sectors

The full scope of the campaign is still emerging. A Wall Street Journal report on Jan. 13, 2026, cited people familiar with the matter as saying that over 100 organizations were likely compromised. Publicly named victims include Harvard University, Canon U.S.A., Mazda, Envoy Air, Cox Enterprises, Logitech and the University of Phoenix.

Envoy Air, a regional carrier owned by American Airlines, said in an October disclosure that it had been “targeted in a cyber‑extortion incident related to a vulnerability in Oracle’s E‑Business Suite,” and that some business data had been accessed. The company said there was no evidence that customer or flight‑safety systems were affected.

Harvard confirmed in October that it was investigating a data security incident involving Oracle EBS. Other universities and public institutions have posted notices indicating that employee or vendor information linked to Oracle systems may have been accessed.

Health care and public services organizations have also issued warnings. On Oct. 6, England’s National Health Service published a cyber alert noting Oracle’s report of “exploitation of CVE‑2025‑61882 in the wild as a zero‑day… which, if successfully exploited, could allow unauthenticated remote code execution,” and urged organizations to patch. The American Hospital Association advised hospitals that are Oracle customers to treat the flaw as a priority.

Cl0p branding, shared infrastructure

The extortion emails have used contact details and infrastructure associated with the Cl0p ransomware and extortion operation, best known for attacks on the Accellion file‑transfer appliance in 2020 and the MOVEit Transfer software in 2023. Mandiant and Google said the actor behind the Oracle‑linked campaign “claimed affiliation with the CL0P extortion brand,” though they stopped short of definitive attribution.

Researchers quoted by Reuters said ransom demands linked to the Oracle EBS intrusions have ranged from single‑digit millions of dollars to around $50 million, depending on the size of the organization and the volume of data stolen.

Security firms say the infrastructure used in the Oracle campaign overlaps with past Cl0p activity, and some vendors have pointed to FIN11—also known as GRACEFUL SPIDER—as a likely operator or affiliate involved in exploiting the vulnerability and managing the extortion.

Long‑tail extortion and third‑party risk

Unlike traditional ransomware incidents, where encrypted systems are restored and negotiations end within weeks, the Oracle EBS campaign is playing out over a longer horizon.

Because attackers focused on data theft before their activities were widely known, they have been able to stagger ransom demands, reaching out to different victims months apart. The Wall Street Journal reported that some organizations first realized data had been stolen only when they received extortion emails in late 2025 or early 2026—long after they had applied Oracle’s patches.

The types of data at stake—payroll records, vendor contracts, internal ledgers and employee identifiers—are often subject to data‑breach notification laws. In the United States, most states require notification if certain personal information is exposed. In the European Union and United Kingdom, compromises involving personal data can trigger obligations under the General Data Protection Regulation and its UK counterpart, including notification to regulators within 72 hours of becoming aware of a qualifying breach.

For publicly traded companies in the United States, the Securities and Exchange Commission’s cybersecurity disclosure rules, which took effect in late 2023, require prompt reporting of material cyber incidents on Form 8‑K and detailed descriptions of cyber risk management in annual filings.

Security practitioners say the campaign underscores how much modern commerce depends on complex third‑party platforms that are both deeply embedded and difficult to update quickly.

“Everyone talks about supply‑chain risk, but for a lot of big organizations, their real supply chain is the ERP system,” the incident responder said. “When that has a zero‑day, you don’t just have one breach. You have a hundred, and they don’t all end when the patch goes in.”