Forum Discussion
Investigating: Cl0p Reportedly Breached Oracle E-Business Suite (EBS) Systems
Tenable's Research Special Operations (RSO) team is investigating reports of breaches connected to Oracle E-Business Suite (EBS) systems by the Cl0p extortion group.
As of October 3, there have been no specific vulnerabilities (or CVEs) identified in connection with the attacks. However, Rob Duhart, Chief Security Officer at Oracle, published the following in a blog post:
Oracle is aware that some Oracle E-Business Suite (EBS) customers have received extortion emails. Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update. Oracle reaffirms its strong recommendation that customers apply the latest Critical Patch Updates.
In the July 2025 Critical Patch Update (CPU), there were 165 unique CVEs patched, including nine associated with Oracle EBS:
| CVE | Product | CVSSv3 |
| CVE-2025-30743 | Oracle Lease and Finance Management | 8.1 |
| CVE-2025-30744 | Oracle Mobile Field Service | 8.1 |
| CVE-2025-50105 | Oracle Universal Work Queue | 8.1 |
| CVE-2025-50071 | Oracle Applications Framework | 6.4 |
| CVE-2025-30746 | Oracle iStore | 6.1 |
| CVE-2025-30745 | Oracle MES for Process Manufacturing | 6.1 |
| CVE-2025-50107 | Oracle Universal Work Queue | 6.1 |
| CVE-2025-30739 | Oracle CRM Technical Foundation | 5.5 |
| CVE-2025-50090 | Oracle Applications Framework | 5.4 |
Cl0p has historically been linked to the exploitation of zero-day vulnerabilities including in managed file transfer platforms, such as Cleo, MOVEit, GoAnywhere and Accellion.
If and when more definitive information becomes available, we will update this post and or publish more details on the Tenable Blog.
