The Cl0p ransomware group that over the last week has been sending extortion emails to executives with companies it’s stolen data from exploited multiple vulnerabilities in Oracle’s E-Business Suite (EBS) to gain access into corporate accounts, according to Charles Carmakal, CTO of Google’s Mandiant business.

That not only included vulnerabilities that were patched in Oracle’s July 2025 update, but also a new critical zero-day security flaw – tracked as CVE-2025-61882 – that was fixed over the weekend, Carmakal wrote in a LinkedIn post.

“Given the broad mass 0-day exploitation that has already occurred (and the n-day exploitation that will likely continue by other actors), irrespective of when the patch is applied, organizations should examine whether they were already compromised,” the CTO wrote.

Carmakal’s note comes less than a week after Mandiant and Google Threat Intelligence Group (GTIG) first warned about a threat group believed to be Cl0p starting to send the emails to corporate executives early last week. That said, the threat group likely hasn’t tried to reach all of its victims yet.

Critical Zero-Day Vulnerability

CVE-2025-61882, which as a criticality score of 9.8 out of 10in CVSS, can be exploited remotely without the need for authentication, according to Oracle. The security flaw affects Oracle EBS versions 12.2.3 through 12.2.14.

“[I]t may be exploited over a network without the need for a username and password,” the cloud and enterprise software giant wrote. “If successfully exploited, this vulnerability may result in remote code execution [RCE].”

Rob Duhart chief Security officer for Oracle Security, wrote in a brief blog post over the weekend about the patch for the zero-day vulnerability, adding that company officials “strongly recommend Oracle E-Business Suite (EBS) customers apply the guidance provided by this Security Alert as soon as possible.”

‘Already Exploited in the Wild’

The RCE vulnerability involves the BI Publisher Integration component of Oracle’s Concurrent Processing module, which handles automated and background processes.

“The flaw, already exploited in the wild, has been used in data theft and extortion attacks attributed to the Cl0p ransomware gang,” threat intelligence firm SOCRadar wrote. “As Oracle rushed out an emergency fix, the situation revealed a wider ecosystem of threat actors and exploit leaks that organizations must urgently address.”

Mandiant and GTIG last week did not attach attribution to Cl0p, noting that two contact addresses included in some of the emails were also publicly listed on Cl0p’s data leak site, though they added that at least one account was linked to another financially driven threat group, FIN11.

Carmakal this week is pointing the finger at Cl0p for both the Oracle exploits and the extortion emails. Cl0p is longtime threat group that in 2023 by exploited a flaw in Progressive Software’s MOVEit file transfer tool that gave it unauthorized escalated privileges and access to customers’ environments. Almost 2,800 companies were affected by the MOVEit breach and extortion campaign, according to cybersecurity firm Emsisoft. Carmakal noted that the group also has exploited flaws in other managed file transfer solutions.

“They’ve made a lot of money over the years,” he wrote.

Pay Up or Else

SOCRadar wrote that the emails sent to corporate executives are written on compromised email accounts. In an email posted by SOCRadar, the threat group tells organizations that their data has been stolen and that they can either pay the demanded ransom to get back control of the data or risk it being sold to others via underground markets or published on the group’s blog.

To prove their bona fides, the bad actors write that they will let the executives see three files or a data row, adding that the corporations only have a few days to decide.

SOCRader wrote that the risk from the CVE-2025-61882 vulnerability is “high and immediate,” noting that it can be exploited without authentication, which allows the attackers to compromise exposed systems remotely and with little effort.

Proof-of-Concept Exploit

The firm also said a public proof-of-concept exploit had been released, which “further increased the risk of widespread exploitation beyond Cl0p’s campaign. Security researchers warn that other threat actors could adopt the leaked exploit in opportunistic attacks.”

Included in the five indicators of compromise listed by Oracle are two Python scripts and a file that refer to Scattered Lapsus$ Hunters, which appears to be combination of the Scattered Spider, Lapsus$, and ShinyHunters groups that is claiming to have stolen more than 1 billion data files from dozens of companies that are Salesforce customers.