Clop Is Mass-Exploiting Oracle E-Business Suite. We Hunted the Exposed Surface and Found the Next Victims Before the Leak Site Will.

The Clop ransomware group is in the middle of an extortion wave built on a single vulnerability: CVE-2025-61882, an unauthenticated remote code execution flaw in Oracle E-Business Suite rated 9.8. The campaign is not subtle and it is not slowing down. Estimates put it well past a hundred organizations. Allianz UK confirmed an incident through this exact vector, was listed on Clop's leak site, and disclosed roughly seven hundred and fifty affected customer records — and Allianz is one name on a list that keeps growing. The pattern is mass-exploitation followed by serial, public extortion: hit everything exposed, then walk down the victim list one leak-site post at a time.

Here is the thing about a campaign like that. It is reproducible by the defenders, too. The attacker's targeting is not magic — it is a search for internet-exposed Oracle E-Business Suite, and anyone can run that same search. So we did, and we want to walk through it, because the gap between "Clop can find your exposed EBS" and "you know your EBS is exposed" is the entire ballgame, and it is a gap you can close this afternoon.

The fingerprint is simple. Oracle E-Business Suite serves its login from a distinctive web path — the AppsLogin servlet under the OA_HTML directory. Search the internet-wide scan data for that path and you get a clean list of every EBS instance whose login page is reachable from the public internet. When we ran it, the surface was three hundred and seventy-one instances worldwide. Most sit behind hosting providers and Oracle's own cloud, which tells you something on its own: a large share of exposed EBS is run by managed-service providers on behalf of enterprise customers, which means a single provider compromise is a supply-chain event, not a single-victim one. The hard perimeter holds; the soft, shared, trusted middle is where the bleeding happens.

Then we filtered for the sector Clop favors — financial services — by reading the hostnames and TLS certificates on those exposed instances. The matches were exactly what the Allianz precedent predicts. A UK financial-services firm with its EBS login facing the open internet, hosted on Oracle Cloud, the same profile as Allianz down to the country and the hosting. A US firm with an internet-facing EBS general-ledger system and a notably wide external footprint. These are not hypothetical risks. They are live login pages, today, on the exact software the exact actor is exploiting this week.

We are not naming them here, and the reason is the whole point of how we think this work should be done. The right move when you find a company standing in the path of an active campaign is not to publish their name for clicks. It is to warn them, privately, first. We have drafted and staged left-of-boom notices to the organizations we identified — a quiet heads-up that their EBS login is exposed, that CVE-2025-61882 is being mass-exploited right now, and that the contained, boring fixes are available. No pitch, no public shaming, no obligation. If a warned organization ignores it and is later breached, the public record can come then. The private warning is step one and it is load-bearing. Skipping it to get the headline first is the thing we refuse to do.

If you run Oracle E-Business Suite, you do not need us to tell you whether you are on that list of three hundred and seventy-one. You can check yourself, and you should, today. Confirm your EBS instances carry Oracle's patch for CVE-2025-61882 — Oracle has shipped it, and an unpatched, internet-reachable instance is the entire risk surface this campaign feeds on. Take the AppsLogin interface off the public internet; restrict it to a VPN or a management network so the login page Clop is hunting for is not one your customers, or the attackers, can simply browse to. And hunt the last several months of EBS access and integration logs for anomalous activity, because the actors who have been running this campaign for weeks were inside some of these environments before the leak-site post made it public.

The structural lesson is the one we have been writing for a year and a half, and Clop's Oracle campaign is its cleanest illustration. The breach almost never starts at the wall. It starts at the trusted middle — the ERP, the management plane, the managed-service provider, the integration that everyone assumes is fine because everyone uses it. CVE-2025-61882 is a 9.8 in the financial backbone of the enterprise, reachable from the internet, against an actor whose entire business model is to find it before you patch it. The cheap, unglamorous controls — patch, segment, take the login off the internet — are the ones that decide whether your name shows up on a leak site next week.

We found the next victims with a search anyone could run. The only question that matters is whether you run it on yourself before Clop runs it on you. We are betting most exposed organizations will not, which is exactly why we sent the warnings — and exactly why the ones who read this and check their own surface tonight are the ones who get to make today's headline somebody else's problem.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register