Executive Summary

Barts Health NHS Trust has disclosed a significant data breach following the exploitation of a zero-day vulnerability in Oracle E-Business Suite by the Cl0p ransomware group. The breach resulted in the theft and subsequent dark web exposure of files containing personal and financial information of patients, former staff, and suppliers. The attack was limited to business systems, specifically those handling invoicing and accounting, and did not impact electronic patient records or core clinical systems. The initial compromise occurred in August 2025, but the breach was only discovered in November 2025 when the stolen data was posted on the dark web. The vulnerability exploited, now tracked as CVE-2025-61882, allowed unauthenticated attackers to access sensitive data. Barts Health NHS Trust is collaborating with NHS England, the National Cyber Security Centre, the Metropolitan Police, and the Information Commissioner's Office to manage the incident and mitigate harm. The organization has also sought a High Court order to restrict further dissemination of the compromised data. This incident is part of a broader, global campaign by Cl0p targeting organizations across multiple sectors through exploitation of Oracle E-Business Suite vulnerabilities. All information in this summary is directly supported by the official Barts Health NHS disclosure, BleepingComputer’s technical analysis, and BankInfoSecurity’s sector and regulatory reporting (Barts Health NHS, 5 Dec 2025, BleepingComputer, 5 Dec 2025, BankInfoSecurity, 13 Nov 2025).

Technical Information

The attack on Barts Health NHS Trust was executed by the Cl0p ransomware group, a Russian-speaking cybercriminal syndicate known for orchestrating large-scale data theft and extortion campaigns. The group exploited a zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61882), a widely used enterprise resource planning (ERP) platform that automates business processes such as invoicing and accounting. This vulnerability enabled unauthenticated attackers to gain direct access to the Oracle EBS environment, bypassing standard authentication controls and allowing the exfiltration of sensitive data.

The initial access vector was the exploitation of the public-facing application, mapped to MITRE ATT&CK technique T1190 (Exploit Public-Facing Application) (MITRE ATT&CK T1190). There is no evidence from any of the primary sources that the attackers moved laterally within the NHS IT infrastructure or escalated privileges beyond the Oracle EBS environment. The attack was contained to business systems, and there was no impact on electronic patient records or clinical systems, as explicitly stated by Barts Health NHS and corroborated by BleepingComputer.

Once inside the Oracle EBS environment, the attackers exfiltrated data, including invoices spanning several years. These invoices contained full names and addresses of individuals who paid for treatment or services, details of former staff who owed money to the trust, and information about suppliers. The exfiltration phase aligns with MITRE ATT&CK technique T1041 (Exfiltration Over C2 Channel) (MITRE ATT&CK T1041). The data was subsequently posted on Cl0p’s leak portal on the dark web, a tactic consistent with the group’s double-extortion model, where stolen data is used to pressure victims into paying a ransom.

No specific malware or ransomware encryption was deployed in this incident. The attack relied solely on the exploitation of the Oracle EBS zero-day for direct data theft, reflecting Cl0p’s recent shift from traditional ransomware encryption to pure data exfiltration and extortion. This is supported by statements from BankInfoSecurity and BleepingComputer, which confirm the absence of endpoint malware or encryption activities.

The breach also affected files related to accounting services provided by Barts Health NHS Trust to Barking, Havering and Redbridge University Hospitals NHS Trust since April 2024. The attackers’ campaign is not sector-specific; Cl0p has targeted organizations in healthcare, higher education, IT, manufacturing, and financial services, exploiting the same Oracle EBS vulnerability. This opportunistic, sector-agnostic targeting is a hallmark of Cl0p’s operations, as noted by security researchers cited in BankInfoSecurity.

The timeline of the attack is as follows: the initial compromise occurred in August 2025, but there was no indication of data at risk until November 2025, when the files were posted on the dark web. Barts Health NHS Trust became aware of the breach at that time and initiated incident response procedures, including notification of regulators and law enforcement.

The technical evidence supporting these findings is robust, with high confidence in the attribution to Cl0p and the use of the Oracle EBS zero-day as the initial access vector. All claims are directly supported by statements from Barts Health NHS, BleepingComputer, and BankInfoSecurity, with URLs provided for verification.

Affected Versions & Timeline

The vulnerability exploited in this incident is tracked as CVE-2025-61882, affecting Oracle E-Business Suite. The specific affected versions have not been detailed in the public disclosures, but the vulnerability allowed unauthenticated access to business-critical data. Oracle has since released a patch to address this issue.

The attack timeline is as follows: the initial compromise of Barts Health NHS Trust’s Oracle EBS environment occurred in August 2025. There was no indication that trust data was at risk until November 2025, when the stolen files were posted on the dark web. The public disclosure by Barts Health NHS Trust was made on 5 December 2025. The breach also impacted files related to accounting services provided to Barking, Havering and Redbridge University Hospitals NHS Trust since April 2024.

The risk of exposure is currently limited to those with access to the compressed files on the encrypted dark web. No information has been published on the general internet as of the latest updates from Barts Health NHS and BleepingComputer.

Threat Activity

The Cl0p ransomware group is responsible for this attack, employing a strategy of exploiting zero-day vulnerabilities in widely used enterprise software to gain access to sensitive business data. In this case, the group targeted the Oracle E-Business Suite zero-day (CVE-2025-61882) to access and exfiltrate data from Barts Health NHS Trust.

Cl0p’s tactics have evolved from traditional ransomware encryption to data theft and extortion, focusing on deeply embedded enterprise systems that are often overlooked in standard security defenses. The group’s campaign is characterized by rapid exploitation (“smash and grab” attacks), exfiltration of sensitive data, and subsequent extortion through threats of public exposure on dark web leak sites.

The group’s targeting is opportunistic and sector-agnostic, with confirmed victims across healthcare, higher education, IT, manufacturing, and financial services. The attack on Barts Health NHS Trust is part of a broader campaign that has affected dozens of organizations globally, as confirmed by security researchers and law enforcement.

The data stolen in this incident includes invoices with personal and financial information of patients, former staff, and suppliers. The exposure of this data poses risks of social engineering, phishing, and fraud, as criminals may use the information to trick individuals into sharing further sensitive data or making unauthorized payments.

Barts Health NHS Trust has taken steps to mitigate the impact, including seeking a High Court order to ban the publication, use, or sharing of the compromised data. However, the effectiveness of such legal measures is limited in practice, especially when dealing with criminal groups operating outside UK jurisdiction.

The organization has reported the breach to NHS England, the National Cyber Security Centre, the Metropolitan Police, and the Information Commissioner's Office, and is working with these entities to investigate and contain the incident.

Mitigation & Workarounds

The following mitigation and workaround recommendations are prioritized by severity:

Critical: Immediate application of the official Oracle E-Business Suite patch for CVE-2025-61882 is essential for all organizations using this platform. Unpatched systems remain at risk of exploitation by Cl0p and other threat actors. Organizations should verify that all Oracle EBS instances are updated to the latest secure version as released by Oracle (Oracle Security Updates).

High: Conduct a comprehensive review of all business-critical applications, especially ERP and financial systems, for signs of unauthorized access or data exfiltration. Implement continuous monitoring and logging of access to sensitive data repositories, and review historical logs for indicators of compromise dating back to at least August 2025.

High: Notify all potentially affected individuals, including patients, former staff, and suppliers, about the breach and the specific data at risk. Provide clear guidance on recognizing and reporting phishing attempts, social engineering, and fraudulent payment requests.

Medium: Engage with law enforcement and relevant regulatory bodies, such as the Information Commissioner's Office, to ensure compliance with legal and reporting obligations. Cooperate fully with ongoing investigations and provide all necessary technical evidence.

Medium: Review and update incident response and business continuity plans to address the risks associated with data theft from enterprise business systems. Ensure that all staff are trained to recognize and respond to potential data breach scenarios.

Low: Consider legal measures, such as seeking court orders to restrict the dissemination of compromised data, while recognizing the practical limitations of such actions against international cybercriminal groups.

Low: Regularly review and update supplier and third-party risk management processes, ensuring that all partners with access to sensitive data are following robust security practices.

References

https://www.bartshealth.nhs.uk/news/cl0p-cyberattack-update-18178 (5 December 2025) https://www.bleepingcomputer.com/news/security/barts-health-nhs-discloses-data-breach-after-oracle-zero-day-hack/ (5 December 2025) https://www.bankinfosecurity.com/uk-nhs-named-in-clop-gangs-exploits-oracle-zero-days-a-30030 (13 November 2025)

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with their business-critical systems and supply chain partners. Our platform enables continuous visibility into the security posture of enterprise applications, supports rapid detection of emerging vulnerabilities, and facilitates evidence-based incident response. For questions or further information, please contact us at ops@rescana.com.