216.73.217.64

Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign

· Published 09/10/2025 21:16 · Modified 10/10/2025 09:04

Export JSON

Essential information

Published
09/10/2025 21:16
Modified
10/10/2025 09:04
Tags
2025-10-09 CVE-2025-61882 goldvein goldvein.java oracle e-business suite sagegift sagewave
Related entities
1 intrusion sets (apt), 13 techniques (mitre), 4 malware

Description

A large-scale extortion campaign targeting (EBS) customers began on September 29, 2025. The threat actor, claiming affiliation with the CL0P extortion brand, exploited a zero-day vulnerability () in EBS as early as August 9, 2025. The campaign involved sending emails to executives, alleging data theft from EBS environments. The attackers used a multi-stage Java implant framework to compromise Oracle EBS, exploiting vulnerabilities in the UiServlet and SyncServlet components. The attack chain included downloader and SAGE* infection chain. While not formally attributed, the activity shows overlaps with confirmed and suspected FIN11 operations. The campaign highlights the ongoing trend of exploiting zero-day vulnerabilities in enterprise applications for data theft and extortion.

External references