This threat intelligence report highlights an ongoing and expanding zero-day exploitation campaign by the Cl0p ransomware group targeting Oracle E-Business Suite (CVE-2025-61882). The vulnerability enables remote code execution within Oracle EBS, a widely deployed enterprise resource planning platform. Exploitation has led to confirmed breaches at high-profile organizations including Allianz UK, Logitech, The Washington Post, and GlobalLogic, with a suspected breach of the British NHS. Attackers exfiltrate data ranging from gigabytes to terabytes and use extortion tactics against Oracle EBS customers. Oracle has issued emergency patches, but investigations reveal exploitation started months prior to disclosure, indicating prolonged undetected access. The report also details other critical zero-day vulnerabilities actively exploited in Microsoft Windows (kernel privilege escalation CVE-2025-62215 and GDI+ RCE CVE-2025-60724), Cisco Identity Services Engine (CVE-2025-20337), Citrix NetScaler (CVE-2025-5777), and Triofox enterprise file sharing platform (CVE-2025-12480). These flaws allow remote code execution, authentication bypass, and deployment of persistent webshells without requiring authentication, severely compromising affected systems. Additional threats include social engineering breaches (DoorDash), data leaks from legacy cloud storage (Checkout.com), and DDoS attacks by pro-Russian groups targeting Danish government and Russian port operator infrastructure. The report underscores a fragmented ransomware landscape with numerous active groups and rising attack volumes, alongside emerging risks from AI-related data leakage and sophisticated phishing campaigns. Protection is available via Check Point IPS signatures for several vulnerabilities. The report emphasizes the need for urgent patching, threat monitoring, and incident response readiness.

European organizations face significant risks from this threat landscape. The Oracle E-Business Suite zero-day exploitation threatens confidentiality and integrity of critical business data, potentially leading to large-scale data breaches, operational disruption, and ransomware extortion. Breaches at Allianz UK and suspected NHS involvement highlight risks to financial services and healthcare sectors, which are vital to European economies and public welfare. The active exploitation of critical vulnerabilities in Microsoft, Cisco, Citrix, and Triofox products further exposes enterprises to remote code execution and privilege escalation attacks, enabling attackers to gain persistent access and control over networks. DDoS attacks against Danish government and defense-related sites demonstrate ongoing geopolitical cyber conflict risks, potentially disrupting public services and critical infrastructure. The combination of zero-day exploits, social engineering, and ransomware campaigns increases the attack surface and complicates defense efforts. Failure to mitigate these threats could result in financial losses, regulatory penalties under GDPR, reputational damage, and erosion of trust among customers and partners.

1. Immediate deployment of Oracle's emergency patches for CVE-2025-61882 and all other vendor-issued updates for Microsoft, Cisco, Citrix, and Triofox vulnerabilities is critical to close known attack vectors. 2. Implement network segmentation to isolate Oracle EBS servers and other critical infrastructure, limiting lateral movement in case of compromise. 3. Enhance monitoring and logging for unusual activities on Oracle EBS, Windows kernel events, and network traffic to detect exploitation attempts early. 4. Deploy advanced intrusion prevention systems (IPS) with signatures for these specific vulnerabilities, such as those provided by Check Point, to block known exploit attempts. 5. Conduct thorough audits of legacy cloud storage and decommission unused systems securely to prevent data leakage. 6. Train employees to recognize and resist social engineering and phishing attacks, especially in sectors targeted by recent campaigns. 7. Establish incident response plans tailored to ransomware and data breach scenarios, including data backup verification and recovery procedures. 8. Collaborate with threat intelligence providers to stay updated on emerging threats and attacker tactics. 9. For organizations in critical infrastructure sectors, coordinate with national cybersecurity agencies to share information and receive support. 10. Review and tighten access controls, especially for remote access and VPN solutions, to prevent unauthorized persistence as seen in recent attacks.