Oracle EBS Zero-Day: More Victims Than Anyone Admitted

The same Clop ransomware/extortion operation that went after publicly known victims is likely probing or has already hit a wider set of enterprises, with names such as Schneider Electric, Cox Enterprises, and Pan American Silver appearing on leak and researcher lists, not just the early, confirmed case from Harvard University. The vulnerability lets an unauthenticated attacker reach and compromise the EBS Concurrent Processing component over the internet, which then enables follow-on actions such as data theft and extortion. Because EBS is a business-critical, integrated system, any successful intrusion can expose sensitive operational and financial data and disrupt core processes. What’s driving concern is not just the severity of the bug, but the emerging pattern: attackers began exploiting it before broad awareness and before all customers had solid mitigation guidance, which means the real victim universe is probably undercounted. Organizations running Oracle EBS that have the service internet-exposed, rely on older or conflicting vendor deployment guidance, or have delayed the October 2025 Oracle security alerts are at highest risk. Immediate actions: verify EBS is not unnecessarily exposed, apply Oracle’s security alerts for CVE-2025-61882/related issues, and hunt for post-exploitation activity tied to Clop’s campaign.

Source