The Oracle E-Business Suite (EBS) zero-day campaign exploits CVE-2025-61882, an unauthenticated remote code execution vulnerability, alongside other known but recently patched vulnerabilities. Initial suspicious activity was observed as early as July 10, 2025, before Oracle’s July patches, with confirmed exploitation starting August 9. Attackers create malicious templates within vulnerable Oracle EBS databases that store payloads triggered during the exploit chain's final stage. Two primary payload types have been identified: GoldVein.Java, a downloader attempting to fetch a second-stage payload from a command-and-control server, and a nested Java payload chain consisting of SageGift (loader), SageLeaf (dropper), and SageWave (Java servlet filter). These payloads are fileless, sophisticated, and designed to evade traditional file-based detection mechanisms. The extortion campaign surfaced publicly on October 2, 2025, with victims receiving ransom demands under the Cl0p ransomware brand, though forensic evidence links the attacks to the FIN11 group, known for similar ransomware and data theft operations. The attackers have stolen significant data from victims and threaten to leak it publicly if ransoms are not paid. The campaign’s complexity, use of zero-day exploits, and multi-stage malware indicate a high level of attacker sophistication. While a proof-of-concept exploit has been published by the Scattered LAPSUS$ Hunters group, there is no evidence they are involved in the actual attacks. The campaign continues to be analyzed by Google Threat Intelligence Group and Mandiant, with ongoing investigations into the full scope and final payloads.

European organizations using Oracle EBS are at significant risk of unauthorized remote code execution, data theft, and extortion. Oracle EBS is widely used by enterprises across Europe for critical business processes including finance, supply chain, and human resources, making the impact potentially severe. Compromise could lead to loss of sensitive corporate data, intellectual property, and customer information, damaging reputation and incurring regulatory penalties under GDPR. The fileless nature of the malware complicates detection and response, increasing dwell time and potential damage. Extortion attempts leveraging stolen data threaten operational continuity and financial loss. Given the multi-stage attack chain and the involvement of a known ransomware group (FIN11), affected organizations may face prolonged remediation efforts and potential ransomware deployment. The campaign’s timing and sophistication suggest targeted attacks against high-value European enterprises, possibly including sectors such as manufacturing, finance, and government services. The lack of available patches for the zero-day at the time of initial exploitation further exacerbates risk.

European organizations should immediately audit Oracle EBS deployments for signs of compromise, focusing on unusual template creations and network traffic to suspicious C&C servers. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying fileless malware behaviors and Java servlet filter anomalies. Implement strict network segmentation to isolate Oracle EBS servers and restrict outbound internet access to limit C&C communication. Apply Oracle’s July 2025 patches without delay and monitor Oracle’s advisories for updates addressing CVE-2025-61882. Conduct thorough incident response exercises simulating zero-day exploitation scenarios in Oracle EBS environments. Employ threat hunting focused on indicators of compromise related to GoldVein.Java, SageGift, SageLeaf, and SageWave payloads. Enhance email security controls to detect and block extortion emails linked to Cl0p ransomware campaigns. Collaborate with law enforcement and cybersecurity information sharing organizations to stay informed on emerging tactics and indicators. Finally, review and strengthen backup and recovery procedures to mitigate ransomware impact.