Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign
Essential information
- Published
- 09/10/2025 21:16
- Modified
- 10/10/2025 09:04
- Tags
- 2025-10-09 CVE-2025-61882 goldvein goldvein.java oracle e-business suite sagegift sagewave
- Related entities
- 1 intrusion sets (apt), 13 techniques (mitre), 4 malware
Description
A large-scale extortion campaign targeting Oracle E-Business Suite (EBS) customers began on September 29, 2025. The threat actor, claiming affiliation with the CL0P extortion brand, exploited a zero-day vulnerability (CVE-2025-61882) in EBS as early as August 9, 2025. The campaign involved sending emails to executives, alleging data theft from EBS environments. The attackers used a multi-stage Java implant framework to compromise Oracle EBS, exploiting vulnerabilities in the UiServlet and SyncServlet components. The attack chain included GOLDVEIN.JAVA downloader and SAGE* infection chain. While not formally attributed, the activity shows overlaps with confirmed and suspected FIN11 operations. The campaign highlights the ongoing trend of exploiting zero-day vulnerabilities in enterprise applications for data theft and extortion.