Cl0p mass-exfiltrates Oracle E-Business Suite via CVE-2025-61882 zero-day
Russian-speaking double-extortion crew historically aligned with TA505/FIN11. Specialized in mass exploitation of managed-file-transfer software zero-days: Accellion FTA (2020), GoAnywhere MFT (early…
Summary
Cl0p exploited CVE-2025-61882 — a previously-unknown Oracle EBS vulnerability — against internet-facing Oracle E-Business Suite deployments from late July through early September 2025, then on 29 September 2025 blasted out hundreds of extortion emails to executives at victim organisations, using compromised email accounts as the delivery channel. By late October 2025 the operators had named 29 victims on their leak site, including Harvard University, American Airlines subsidiary Envoy Air, The Washington Post, Schneider Electric, Emerson, Logitech, and Cox Enterprises. Operationally identical to Cl0p's prior mass-extortion campaigns against Accellion FTA (2020-2021), Fortra GoAnywhere (2023), MOVEit Transfer (2023), and Cleo Harmony / VLTrader / LexiCom (2024) — Cl0p's enterprise managed-file-transfer / ERP-platform cadence is now annual.