One of the largest corporate data breaches of 2025
Google revealed on Thursday that a massive cyberattack targeting Oracle’s enterprise software compromised dozens — and potentially more than 100 — organizations worldwide, marking one of the largest corporate data breaches of 2025.
According to Google’s Threat Analysis Group, the attack was carried out by CL0P, a ransomware group linked to Russia, which exploited a zero-day vulnerability in Oracle’s E-Business Suite to steal sensitive business data and demand ransoms of up to $50 million per victim.
The campaign, which began as early as July 2025, targeted critical Oracle systems used by thousands of companies to manage finances, payroll, and supply chains. Google security analyst Austin Larsen stated, “We’re aware of dozens of victims, but expect the number to be much higher. Based on the scale of CL0P’s past campaigns, it’s likely that more than a hundred organizations were affected.”
Zero-day flaw enabled massive compromise
Researchers from Google’s Threat Intelligence Group and Mandiant confirmed that CL0P exploited CVE-2025-61882, a critical vulnerability with a CVSS score of 9.8, allowing unauthenticated remote code execution. The first exploitation occurred on August 9, 2025, weeks before Oracle released an emergency patch on October 4.
“This level of sophistication suggests the attackers invested significant time and resources into researching the flaw before launching the breach,” Google said. The vulnerability affected Oracle E-Business Suite versions 12.2.3 through 12.2.14, granting full system control without needing usernames or passwords.
The attack chain involved bypassing authentication through Oracle’s SyncServlet, uploading malicious templates via the XML Publisher Template Manager, executing commands, and planting persistent backdoors. CL0P exfiltrated vast amounts of sensitive data — including payroll records, vendor contracts, and financial transactions — before sending ransom emails directly to corporate executives.
Widespread corporate disruption and emergency response
The breach forced many organizations to temporarily shut down ERP servers for forensic analysis and patching, disrupting payroll, order management, and financial reporting systems. Some companies faced delays applying the fix, as Oracle’s emergency update required a base patch from October 2023 to install properly.
“Massive amounts of customer data” were compromised during the campaign, Google confirmed. The exposure raises serious compliance concerns under GDPR and CCPA, adding both financial and reputational risks for affected firms.
After the vulnerability was disclosed publicly, exploit scripts began circulating online, prompting urgent warnings from cybersecurity agencies, including CISA, which added CVE-2025-61882 to its Known Exploited Vulnerabilities Catalog. Oracle has urged all E-Business Suite customers to apply the emergency patch immediately to prevent further exploitation.
The growing wave of enterprise cyberattacks
The Oracle breach comes amid a surge in high-profile corporate cyber incidents across the tech industry in 2025:
- Salesforce recently refused to pay ransom demands after hackers exposed nearly one billion customer records, in what experts called one of the largest supply chain attacks on enterprise software platforms.
- Microsoft confirmed that attackers exploited a critical flaw in Fortra’s GoAnywhere software, allowing ransomware deployments of Medusa.
- Discord suffered a serious data breach after a hack on one of its third-party support vendors, leaking users’ personal information and government-issued IDs.
Together, these incidents highlight the growing fragility of enterprise systems and the increasing sophistication of ransomware groups that exploit zero-day vulnerabilities in widely used corporate software.
As cybersecurity experts warn, the Oracle incident underscores a stark reality: even the world’s most trusted enterprise platforms are not immune to the escalating global cyberwar.
