Cybercriminals have allegedly targeted almost 30 organizations in a coordinated campaign exploiting Oracle’s E-Business Suite (EBS) enterprise resource planning software. The operation, which began in late September, involved extortion emails sent to senior executives and is believed to be the work of the financially motivated threat group known as FIN11.

The Cl0p ransomware gang has publicly claimed responsibility, likely acting as the front for the campaign given its previous involvement in similar large-scale attacks against MOVEit, Cleo, and Fortra file transfer systems.

To date, 29 alleged victims have been listed on Cl0p’s leak website. Confirmed organizations include Harvard University, South Africa’s Wits University, and Envoy Air, a subsidiary of American Airlines. The Washington Post has also confirmed it was affected, though it has not released specific details. Many others—such as Schneider Electric, Emerson, Logitech, Cox Enterprises, Pan American Silver, LKQ Corporation, and Copeland—have not commented, possibly due to ongoing investigations. The list of purported victims spans a wide range of sectors, including mining, professional services, insurance, energy, manufacturing, and transportation.

Cl0p has already leaked data from 18 of the listed victims, with some breaches involving hundreds of gigabytes or even terabytes of files believed to have originated from Oracle environments. While it’s possible that some organizations were misidentified or that the extent of the breaches has been overstated, Cl0p’s record suggests most listings are legitimate. The specific vulnerabilities exploited remain unconfirmed, but experts suspect CVE-2025-61882 and CVE-2025-61884—two flaws that can be remotely exploited without authentication—were used in the attacks. Notably, CVE-2025-61882 appears to have been exploited as a zero-day for at least two months before a patch was released.