Cybercriminals have named nearly 30 organizations allegedly impacted by the recent campaign targeting customers of Oracle’s E-Business Suite (EBS) enterprise resource planning solutions.
The campaign, which involved extortion emails being sent to executives at dozens of organizations in late September, is believed to have been conducted by a cluster of a profit-driven threat actor tracked as FIN11.
The attacks were claimed by the Cl0p (aka Clop) ransomware group. Cl0p was previously linked by the cybersecurity community to FIN11 and the decision to use it as the public-facing entity for the campaign was likely motivated by its prior involvement in similar high-impact campaigns targeting customers of Cleo, MOVEit, and Fortra file transfer products.
Twenty-nine alleged victims of the Oracle EBS hack have been listed on the Cl0p leak website to date. The organizations that were the first to be named, such as Harvard University, South Africa’s Wits University, and American Airlines subsidiary Envoy Air, confirmed being impacted shortly after they were named by the attackers in mid-October.
Last week, The Washington Post also confirmed it had been successfully targeted in the campaign, but did not share any details, Reuters reported.
However, a majority of the other alleged victims have yet to confirm suffering a data breach.
SecurityWeek has reached out for comment to several important organizations from the list, but none responded. This includes industrial giants Schneider Electric and Emerson, consumer electronics giant Logitech, communications and automotive giant Cox Enterprises, silver and gold producer Pan American Silver, automotive parts firm LKQ Corporation, and HVAC company Copeland.
Other alleged victims include companies in the mining, professional services, wastewater, construction, insurance, financial, manufacturing, transportation, technology, automotive, energy, and HVAC sectors.
The organizations impacted by the Oracle EBS hack are likely conducting investigations and some of them likely do not want to share any information until those probes are completed. Others, as past Cl0p attacks have shown, are likely trying to avoid the spotlight by staying silent.
The cybercriminals leaked data allegedly stolen from 18 victims, in some cases making public hundreds of gigabytes and even several terabytes of files.
SecurityWeek has conducted only a limited structural analysis of some of the leaked files and concluded that they likely originated from an Oracle environment.
Given Cl0p’s history, it’s unlikely that organizations have been falsely listed as victims. However, it’s not uncommon for the cybercriminals to deliberately name parent companies as the victim when the actual impact was limited to a smaller subsidiary (as in the case of American Airlines being listed for the Envoy Air hack). It’s also possible that in some cases the hackers have exaggerated the value and sensitivity of the stolen data.
It’s still unclear exactly which Oracle EBS vulnerabilities have been exploited in the campaign. The most likely candidates are CVE-2025-61882 and CVE-2025-61884, both of which can be exploited remotely without authentication or user interaction to gain access to sensitive data. In the case of CVE-2025-61882, exploitation as a zero-day appears to have started at least two months prior to patches being released.
Related: Sophisticated Malware Deployed in Oracle EBS Zero-Day Attacks
Related: State-Sponsored Hackers Stole SonicWall Cloud Backups in Recent Attack
