InfoSecBulletin Cybersecurity for mankind
The Clop ransomware gang claims to have breached Oracle’s internal systems and has listed the company on its dark web leak site.
This is part of a large extortion campaign that takes advantage of a serious zero-day vulnerability in Oracle E-Business Suite (EBS), dubbed CVE-2025-61882.
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Critical Cisco ISE Vulnerability Enables Remote Code Execution
F5 Patches NGINX Flaw for Code Execution and DoS Attacks
FortiBleed: 70,000 Fortinet Firewalls Compromised Globally
New Rokarolla Android malware hits 217 banking and crypto apps
Phishing Campaign Exploits Legitimate Microsoft Login Flow
ALERT
Cisco SD-WAN Zero-Day, FortiSandbox and cPanel flaws exploited in attacks
“Panthalassa” builds floating AI data centers powered by ocean waves
Critical Wazuh Vuln Enables Alert Tampering and Evidence Deletion
Security experts report that Clop affiliates started using this vulnerability as early as August 2025, before Oracle issued a fix in October 2025.
The exploit chain specifically targets the OA_HTML/SyncServlet endpoint to bypass authentication, followed by malicious XSLT template injection via OA_HTML/RF.jsp to execute arbitrary commands.
This “pre-auth” nature allowed attackers to compromise servers without valid credentials, granting them full control over sensitive ERP data.
cybersecuritynews reported, evidence from Clop’s leak site shows a “PAGE CREATED” status for ORACLE.COM, listed with major companies like MAZDA.COM, HUMANA.COM, and the Washington Post.
The Oracle Corporation listing hints that the company may have suffered from its own software issue.
Victims report receiving extortion emails from addresses like support@pubstorm[.]com, threatening the release of financial and personal records if ransom demands are not met.
