When The Backbone ERP Becomes The Breach Point: Oracle EBS Under Fire

Oracle EBS Under Fire

A new campaign linked to the CL0P and FIN11 groups is targeting Oracle E-Business Suite (EBS) customers across multiple industries. What makes this case different is not only the scale but also the nature of the systems under attack. The intrusions hit the very core of enterprise operations: finance, HR, and supply-chain systems that run on Oracle EBS.

This incident is a reminder that modern cyberattacks are no longer limited to endpoints or exposed web apps. The attackers are now going after the digital backbone that keeps businesses running.

What Happened

Beginning around July 2025, threat actors started exploiting a previously unknown vulnerability in Oracle EBS, now tracked as CVE-2025-61882.
By late September, dozens of organizations reported receiving extortion emails claiming data theft from their Oracle systems.
Google’s Threat Analysis Group llater confirmed that the same campaign compromised significant amounts of customer data, affecting at least 30 organizations across sectors.
Several victims, including media companies and financial institutions, have now been publicly listed on CL0P’s leak site.

The campaign’s activity is ongoing. Attackers use a mix of zero-days, credential theft, and social engineering to gain access, exfiltrate data, and pressure executives with direct ransom demands.

How the Attack Works

Researchers found that the attackers chained together multiple Oracle EBS components to achieve unauthenticated remote code execution.

Technical details show the use of:

Exploitation of vulnerable servlet paths such as /OA_HTML/SyncServlet
Java-based in-memory implants like GOLDVEIN, SAGEGIFT, and SAGELEAF
Compromised third-party email infrastructure to deliver extortion messages using addresses like [email protected]

The operation reflects the combined tactics of FIN11, known for high-volume exploitation, and CL0P, known for data theft and public shaming. This partnership creates both technical and psychological pressure on victims.

Why It Matters

Core business risk: Oracle EBS powers mission-critical operations. When it is breached, the fallout reaches finance, payroll, logistics, and customer databases all at once.
Zero-day exposure: The attackers moved quickly before a patch was available, taking advantage of organizations with delayed update cycles.
Shift in attacker focus: This campaign shows that enterprise applications are now fair game. Attackers are not just scanning web servers; they are looking for business logic and supply-chain value.
Extortion over encryption: Instead of encrypting files, the group stole sensitive data and used the threat of exposure as leverage.

Impact and Implications

This is one of the largest known campaigns against an ERP system in years. More than 100 companies may have been exposed directly or through connected vendors. The impact includes:

Loss of confidential customer and financial records
Disruption of operational workflows and supplier coordination
Regulatory and reputational risks from leaked internal data
Targeted extortion emails to executives and board members

The attack also highlights a growing blind spot. Many companies invest heavily in endpoint detection and cloud monitoring but neglect to harden their ERP layer, which often holds the most valuable data of all.

What Organizations Should Do

Apply all Oracle security patches immediately. The company has released urgent fixes for CVE-2025-61882 and related vulnerabilities.
Conduct targeted threat hunting. Check for modified templates in XDO tables, abnormal outbound connections from EBS servers, and newly created Java objects or scripts.
Restrict external exposure. Keep EBS instances off the public internet wherever possible, and limit outbound access to only necessary services.
Validate ERP-specific logging. Ensure SIEM and EDR solutions capture events within the EBS environment, not just on the host operating system.
Prepare executive response plans. Because attackers contact leaders directly, make sure communication and escalation protocols are in place.
Review third-party dependencies. Vendors, integrators, and cloud partners with EBS access should confirm patching and isolation measures.

ThreatMon Insights

Attackers are increasingly targeting trusted business systems that were never designed with security visibility in mind.
The line between different ransomware and extortion groups is fading. Shared infrastructure and data-leak marketplaces allow threat actors to collaborate and scale faster than defenders can react.
Executive-level pressure is part of the attack. Cyber incidents now involve legal, financial, and reputational damage well beyond IT.
This campaign shows that time-to-patch and visibility across ERP systems will define how enterprises manage risk in 2026.

Final Thoughts

The Oracle EBS breach campaign is more than another headline. It marks a turning point in how attackers view the enterprise landscape. They are no longer content with breaching the edges; they are going straight for the operational core.

For defenders, the lesson is clear. Enterprise software deserves the same level of continuous monitoring, segmentation, and incident response as cloud and endpoint environments. The cost of neglecting these systems is now visible to the entire industry.