The Clop ransomware gang exploited a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), specifically within the BI Publisher Integration component, to conduct data theft attacks since at least August 2025. The flaw allowed unauthenticated remote code execution (RCE) via a single HTTP request, enabling attackers to steal sensitive corporate documents from unpatched systems. Oracle patched the vulnerability in early October 2025, but not before Clop launched an extortion campaign, emailing executives at multiple victim organizations to demand ransoms in exchange for not leaking the stolen data.The attack leveraged a vulnerability chain exposed by leaked proof-of-concept (PoC) exploits from the Scattered Lapsus$ Hunters group, increasing the risk of further exploitation by other threat actors. Clop’s campaign mirrors past high-profile breaches, including MOVEit Transfer (2,770+ organizations affected), Accellion FTA, and GoAnywhere MFT, reinforcing its reputation for large-scale data theft via zero-days. Oracle urged immediate patching, warning that internet-exposed EBS applications remain prime targets. The U.S. State Department has even offered a $10 million reward for intelligence linking Clop to foreign state sponsorship, underscoring the attack’s severity.