Skip to content
WhySoGeek.
Cybersecurity

Clop's Oracle E-Business Suite Extortion Wave: CVE-2025-61882 and CVE-2026-46817

A pre-auth RCE in Oracle E-Business Suite let Clop steal data from dozens of major enterprises, then extort executives by email. A new EBS flaw extends the threat.

Sam Carter 8 min read
Cover image for Clop's Oracle E-Business Suite Extortion Wave: CVE-2025-61882 and CVE-2026-46817
Photo: Leonardo Rizzi / flickr (BY-SA 2.0)

The Clop extortion group has turned Oracle's enterprise software into a mass data-theft engine. Beginning in late 2025, executives at dozens of organizations started receiving extortion emails claiming Clop had breached their Oracle E-Business Suite (EBS) systems and stolen sensitive data. The root cause was CVE-2025-61882, a critical pre-authentication remote code execution flaw with a CVSS score of 9.8. In 2026 the pressure has continued, with a newer EBS flaw, CVE-2026-46817, also rated 9.8, now being exploited, and related Oracle PeopleSoft break-ins spilling payroll records and Social Security numbers.

Quick answer

If you run Oracle E-Business Suite, patch both CVE-2025-61882 and CVE-2026-46817 immediately (both are CVSS 9.8, unauthenticated, internet-reachable RCE flaws), get EBS off the public internet behind a VPN or WAF, and hunt your logs for data exfiltration through the BI Publisher and Concurrent Processing components. Treat any exposed, unpatched instance as potentially breached rather than clean. Clop steals data and extorts executives by email rather than encrypting files, so prepare an incident-response and legal plan for that contact.

Key takeaways

  • CVE-2025-61882 is a CVSS 9.8 pre-auth RCE in the BI Publisher Integration component of Oracle EBS Concurrent Processing, exploitable remotely by an unauthenticated attacker.
  • Clop used it to steal data en masse, then ran an email-based extortion campaign against executives rather than deploying traditional encrypting ransomware.
  • Confirmed victims span major enterprises and universities, among them Logitech, Schneider Electric, Emerson, Cox Enterprises, and Harvard University.
  • A newer flaw, CVE-2026-46817 (CVSS 9.8, unauthenticated HTTP takeover in Oracle EBS), is now being exploited, extending the threat into 2026.
  • Related Oracle PeopleSoft breaches have exposed sensitive personal data, including a Nissan disclosure of potentially spilled payroll records and SSNs.

How the campaign works

Clop's recent operations are about data theft and extortion, not file encryption. Rather than locking systems and demanding a key, the group exfiltrates large volumes of sensitive data through a software vulnerability, then emails executives threatening to publish it unless they pay. This is the same model Clop used in earlier mass campaigns against managed file-transfer products, find one widely deployed enterprise application with a critical flaw, exploit it at scale, and monetize the stolen data.

Oracle E-Business Suite is an ideal target: it sits at the core of finance, HR, and supply-chain operations for thousands of large organizations, and a pre-auth RCE means the attacker needs no credentials to get in.

The campaign follows the same four-stage shape Clop used against managed file-transfer products like MOVEit and GoAnywhere in prior years:

StageWhat Clop does
FindLocate a widely deployed app with a critical, unauthenticated flaw
ExploitHit exposed instances at scale before defenders patch
ExfiltrateQuietly pull large volumes of sensitive data out
ExtortEmail executives threatening to publish unless paid

Recognizing the pattern matters, because the "extort" stage often arrives weeks after the silent "exfiltrate" stage. A quiet network is not proof you were missed.

An enterprise office environment, representing organizations breached through Oracle EBS
Photo: AfricaRice / flickr (BY-NC-SA 2.0)

The vulnerabilities

  • CVE-2025-61882, CVSS 9.8. Lives in the BI Publisher Integration component of Oracle's Concurrent Processing product within EBS. Exploitable remotely by an unauthenticated attacker, leading to remote code execution. This is the flaw behind the bulk of the late-2025 extortion wave.
  • CVE-2026-46817, CVSS 9.8. An unauthenticated HTTP takeover flaw in Oracle E-Business Suite, now reported as exploited in attacks, extending the threat surface into 2026.

Side by side, the two flaws share the dangerous traits that make mass exploitation easy:

AttributeCVE-2025-61882CVE-2026-46817
SeverityCVSS 9.8CVSS 9.8
ComponentBI Publisher / Concurrent ProcessingOracle EBS HTTP layer
Authentication neededNoneNone
Network reachableYes, on exposed EBSYes, on exposed EBS
StatusBehind the 2025 extortion waveNow exploited in 2026

Patching one does not cover the other; they are separate flaws and both need the fix.

Warning

Both flaws are unauthenticated and internet-reachable on exposed EBS deployments. That combination, critical severity, no auth required, network-facing, is precisely what drives mass exploitation. Treat any internet-exposed EBS instance as a priority.

What organizations should do

    1. Apply Oracle's patches immediately. Update EBS to the fixed releases addressing CVE-2025-61882 and CVE-2026-46817. Oracle has issued patches; confirm your version is covered.
    2. Reduce internet exposure. EBS application and admin interfaces generally should not be directly reachable from the public internet. Place them behind segmentation, VPN, or a WAF.
    3. Hunt for data exfiltration. Review web and application logs for the BI Publisher and Concurrent Processing components, large outbound transfers, and unfamiliar requests predating your patch.
    4. Assume breach if you were exposed and unpatched. Because these are pre-auth RCE flaws exploited at scale, an exposed unpatched instance should be investigated as potentially compromised, not presumed clean.
    5. Prepare for extortion contact. Clop's pressure is email to executives. Have an incident-response and legal plan ready, and do not engage attackers without counsel.

The personal-data fallout

The downstream impact lands on individuals. Related Oracle PeopleSoft break-ins have exposed sensitive personal data, Nissan disclosed that a PeopleSoft incident may have spilled payroll records and Social Security numbers, and a US insurance regulator confirmed attackers posted breach data. If you are an employee or customer of an affected organization, you may face identity-theft risk. Our guide on how to check if your data was breached and respond walks through credit freezes, monitoring, and account hardening, and the 24-billion-credential leak coverage explains why credential reuse makes these breaches compound.

Frequently asked questions

Is this ransomware? My files aren't encrypted.

Clop's recent EBS campaign is extortion through data theft, not encryption. The threat is publication of stolen data, delivered as emails to executives. It is no less serious, the leverage is reputational and regulatory rather than operational downtime.

We patched CVE-2025-61882. Are we done?

That closes the main flaw behind the 2025 wave, but CVE-2026-46817 is a separate CVSS 9.8 EBS flaw now being exploited. Patch both, and verify no exfiltration occurred while you were exposed.

How would we know if data was already stolen?

Look for large or unusual outbound transfers and anomalous requests to the BI Publisher and Concurrent Processing components in your logs, especially before patching. Given pre-auth exploitation at scale, an exposed unpatched instance warrants a full investigation.

I'm an individual whose employer used Oracle EBS. What should I do?

If your organization was affected, treat your personal data as potentially exposed: consider a credit freeze, watch for identity-theft signs, and harden the accounts most likely to be targeted. Our breach-response guide covers the steps in order.

The bottom line

Clop weaponized a pair of unauthenticated, internet-reachable Oracle E-Business Suite flaws to steal data from major enterprises and extort their executives, and CVE-2026-46817 keeps the threat live in 2026. Patch both CVEs now, get EBS off the public internet, hunt your logs for exfiltration, and prepare for the personal-data fallout that follows enterprise breaches of this scale.

#security#oracle#ransomware#cve

Sources & further reading

Keep reading