Oracle E-Business Suite Zero-Day Exploitation and the Rise of CL0P-Style Extortion

In mid-2025, Oracle’s flagship enterprise platform E-Business Suite (EBS) became the centre of a global cyberattack campaign. Threat actors discovered and weaponized an unknown remote code execution (RCE) vulnerability that allowed them to compromise EBS servers without authentication.

This exploitation rapidly evolved into a large-scale extortion campaign resembling the operations of the CL0P ransomware group, targeting organizations using unpatched or exposed EBS instances. By late September 2025, hundreds of companies had received extortion emails claiming that their EBS data had been stolen.

Oracle responded with an emergency patch on October 4, 2025, urging immediate remediation and investigation.

Attack Vector

The attackers exploited vulnerable EBS servlet components, including UiServlet and SyncServlet, which process user requests in Oracle’s web interface. These components lacked sufficient input validation, enabling remote attackers to upload malicious templates and execute code on the server.

Tactics, Techniques and Procedures (TTPs)

1. Initial Access (T1190 – Exploit  Public-Facing Application):
       Attackers sent crafted HTTP requests to vulnerable EBS endpoints (such as    /OA_HTML/configurator/ UiServlet) to upload malicious XSL templates     via the XDO Template Manager.
2. Execution (T1059 – Command and     Scripting Interpreter):
       When the malicious templates were previewed or executed, embedded Java     code ran in-memory payloads, avoiding traditional antivirus     detection.
3. Persistence (T1546 – Event     Triggered Execution):
       The payloads installed servlet filters that reloaded malicious code     each time the server processed requests, maintaining persistence without     modifying system files.
4. Command and Control (T1071 –     Application Layer Protocol):
       The implants communicated with external command servers over HTTPS using     disguised TLS traffic (observed C2: 162.55.17.215, 104.194.11.200).
5. Exfiltration and Extortion     (T1657 – Data Encrypted for Impact):
       Collected data was exfiltrated, and victims were contacted via extortion     emails from domains like pubstorm.com and pubstorm.net, threatening data     leaks if ransoms weren’t paid.

Impact

• Scope: Hundreds of Oracle EBS servers globally were compromised between July and October 2025.
• Data Exposure: Attackers potentially accessed sensitive financial and operational data stored within ERP systems.
• Business Disruption: Many organizations took EBS offline for emergency patching and forensic investigation.
• Reputation Damage: Victims faced public embarrassment from extortion claims, even if no breach was confirmed.

In short, the attack demonstrated how a single ERP vulnerability could cascade into business continuity risks and reputational damage, particularly for financial institutions and large enterprises reliant on Oracle’s suite.

Response

Once unusual traffic patterns and template creation activities were detected, several organizations engaged incident response teams to investigate.
Detection hinged on identifying unexpected entries in the XDO_TEMPLATES_Band XDO_LOBS database tables and unfamiliar outbound connections from EBS servers.

Oracle’s Response:

• Released emergency patches addressing the exploited servlets and XDO Template Manager flaws  (CVE-2025-61882).
• Published technical advisories and recommended searches for malicious templates in the database.
• Urged all customers to restrict EBS internet exposure and review access logs dating back to July 2025.

Organizational Response:

• Immediate isolation of compromised systems.
• Database cleanup and credential rotation.
• Deployment of WAF rules to block further exploitation attempts.
• Forensic analysis and evidence preservation for potential legal follow-up.

Lessons Learned

1. ERP Platforms Are High-Value Targets:
       Enterprise systems like Oracle EBS manage sensitive business data, making them prime targets for financially motivated attackers.
2. Zero-Days Are Exploited Quickly:
       Attackers leveraged the flaw months before a patch existed, showing how critical proactive threat hunting and external threat intelligence can be.
3. Internet Exposure Increases Risk:
       Exposing administrative or application interfaces of EBS directly to the internet significantly increases attack surface.
4. In-Memory Payloads Bypass Traditional Defenses:
       The attackers’ use of Java-based in-memory execution highlights the need for behavioral detection and memory scanning, not just signature-based antivirus.
5. Rapid Response and Patch Management Are Key:
       Organizations that applied Oracle’s emergency patch promptly avoided the extortion phase, underscoring the importance of timely patching and clear communication between IT and security teams.