New Delhi, October 12, 2025 – Special Report: After weeks of turmoil in the cybersecurity world following the Salesforce data breach, a new and more severe threat has emerged. Google has confirmed that Oracle’s E-Business Suite (EBS), a core enterprise resource planning (ERP) platform used globally, has been compromised by the Russian-speaking cybercrime group CL0P.
According to Google’s Threat Intelligence Group (GTIG), the breach involves an actual software vulnerability rather than user-side misconfigurations, marking a dangerous escalation in the wave of attacks targeting major enterprise systems in 2025.
The Breach and Timeline
Google’s GTIG began tracking unusual activity on September 29, 2025, linked to CL0P’s infrastructure. Within days, hundreds of executives across multiple organizations received extortion emails confirming that sensitive corporate data had been exfiltrated.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
Oracle acknowledged the breach on October 2, revealing that the attackers had likely exploited vulnerabilities patched in July 2025. Two days later, on October 4, Oracle urged its global customers to immediately apply the security update referenced as Oracle Security Alert CVE-2025-61882, which addresses the exploited flaw.
Unlike Salesforce’s case — where misconfigurations in customer environments were blamed, Oracle’s incident stems from a vulnerability in its own software, making this a more critical and systemic breach.
CL0P’s Attack Method: Stealth, Precision, and Extortion
Investigators say the CL0P group used Java-based implants, such as GOLDVEIN, SAGEGIFT, and SAGEWAVE, to infiltrate systems. These implants operate within Oracle’s database environment using in-memory execution, dynamic filters, and template-based payload delivery, making them difficult to detect.
The attackers reportedly leveraged the “applmgr” account, a privileged system account within Oracle EBS, to perform outbound communications to command-and-control servers, exfiltrating critical business data in small, undetectable bursts.
Google noted that CL0P has not yet listed victims on its public leak site, consistent with its typical approach of delaying data publication during ransom negotiations. This pattern allows the group to pressure organizations privately before making stolen data public.
Why This Breach Matters
Oracle EBS serves as the operational backbone for thousands of organizations worldwide, handling everything from financial transactions and supply chain logistics to HR and procurement.
By targeting such a centralized platform, attackers gain potential access to a wealth of sensitive, high-value enterprise data.
The use of zero-day exploits, in-memory payloads, and minimal lateral movement highlights CL0P’s increasing sophistication. Their strategy — exploit, steal, extort — mirrors previous high-profile attacks attributed to both CL0P and its affiliate, FIN11, but this time with a sharper focus on enterprise-grade applications.
Cyber experts warn that such attacks could trigger cascading effects across industries, potentially disrupting supply chains, financial systems, and government operations that depend on Oracle’s ERP backbone.
A Troubled Year for Enterprise Cybersecurity
2025 has proven catastrophic for enterprise security. In the same year that hackers allegedly stole over one billion Salesforce records, the Oracle EBS compromise underscores the vulnerability of even the most fortified software ecosystems.
As Oracle and Google continue forensic analysis, analysts believe that over 100 organizations may have been affected globally, though the exact scale remains under investigation.
Security specialists emphasize that while patches have been released, prompt implementation of updates, segmentation of privileged accounts, and continuous threat monitoring are essential to preventing further fallout.
Conclusion
The Oracle EBS breach marks a turning point in cyber warfare against enterprise software. It reflects a shift from opportunistic ransomware to targeted, high-stakes attacks on the infrastructure that powers global business operations.
As one cybersecurity analyst aptly put it, “The battlefield has moved inside the databases, and the attackers know it.”
