Executive Summary

Cox Enterprises, a major U.S. conglomerate operating in telecommunications and automotive services, experienced a data breach after cybercriminals exploited a zero-day vulnerability in the Oracle E-Business Suite (Oracle EBS). The breach occurred between August 9 and August 14, 2025, but was not detected until late September. The Cl0p ransomware group claimed responsibility for the attack, which leveraged CVE-2025-61882, a critical vulnerability that allowed remote, unauthenticated access to sensitive data. Following the breach, Cox Enterprises notified 9,479 impacted individuals and offered complimentary credit monitoring and identity theft protection. The incident highlights the significant risks posed by vulnerabilities in widely used enterprise resource planning (ERP) platforms and demonstrates the broad impact such attacks can have across multiple sectors. All information in this summary is based on verified, primary sources: https://www.bleepingcomputer.com/news/security/cox-enterprises-discloses-oracle-e-business-suite-data-breach/, https://www.emeryreddy.com/blog/data-breach/cox-enterprises-inc-data-breach, and https://www.paubox.com/blog/cl0p-ransomware-gang-names-29-oracle-ebs-breach-victims.

Technical Information

The attack on Cox Enterprises was executed by exploiting a zero-day vulnerability, CVE-2025-61882, in the Oracle E-Business Suite. This vulnerability allowed attackers to gain remote, unauthenticated access to the system, enabling them to exfiltrate sensitive data without requiring user interaction. The exploitation window lasted at least two months before a patch was released by Oracle on October 5, 2025. The Cl0p ransomware group, associated with the FIN11 threat actor, claimed responsibility for the breach and subsequently published stolen data on their leak site.

Oracle E-Business Suite is a widely used enterprise resource planning (ERP) platform that supports back-office business operations. The specific vulnerability, CVE-2025-61882, is rated as critical (CVSS 9.8) and affects the BI Publisher component of Oracle EBS. The flaw enables remote code execution (RCE) without authentication, making it highly attractive to threat actors seeking to compromise large organizations.

Upon gaining access, the attackers used automated scripts and custom tools to identify and exfiltrate large volumes of data from the Oracle EBS environment. The Cl0p group is known for its focus on data theft and extortion, often sending ransom demands to executives and threatening to publish stolen data if payment is not made. In this case, the group sent extortion emails to Cox Enterprises executives in late September and, after non-payment, published the stolen data on October 27, 2025.

The data exfiltrated from Cox Enterprises included names and other personally identifiable information (PII). While the company did not specify the exact types of data exposed, notification letters sent to affected individuals confirmed that PII was involved. The volume of data leaked in similar attacks has ranged from hundreds of gigabytes to several terabytes, indicating the potential scale of the breach.

The Cl0p ransomware group has a documented history of exploiting zero-day vulnerabilities in enterprise software, including previous campaigns targeting MOVEit Transfer, GoAnywhere MFT, SolarWinds Serv-U FTP, and Accellion FTA. These campaigns have affected organizations across multiple sectors, including technology, automotive, media, education, and critical infrastructure.

The technical attack chain aligns with several techniques in the MITRE ATT&CK framework. Initial access was achieved through exploitation of a public-facing application (T1190), followed by remote code execution (T1203). Data was collected from local systems (T1005) and exfiltrated over command-and-control channels (T1041). While ransomware deployment (T1486) is a known tactic of Cl0p, in this incident the primary focus was on data theft and extortion rather than widespread encryption.

Attribution to Cl0p and FIN11 is assessed with high confidence, based on the group’s public claim of responsibility, technical indicators matching their known tactics, techniques, and procedures (TTPs), and corroboration from multiple independent sources. No specific malware hashes or command-and-control infrastructure details were disclosed in public sources, but the circumstantial and pattern evidence is strong.

The breach at Cox Enterprises is part of a broader campaign that targeted at least 29 organizations using Oracle EBS, with confirmed victims including Logitech, The Washington Post, Harvard University, and Envoy Air. The campaign demonstrates the risk posed by vulnerabilities in widely deployed ERP platforms and the potential for cascading impacts across supply chains and critical infrastructure.

Affected Versions & Timeline

The primary affected product is Oracle E-Business Suite, specifically versions vulnerable to CVE-2025-61882 and potentially CVE-2025-61884. Both vulnerabilities allowed remote, unauthenticated access to sensitive data and, in the case of CVE-2025-61882, remote code execution.

The verified incident timeline is as follows: Between August 9 and August 14, 2025, attackers exploited the zero-day vulnerability in Oracle EBS. The breach went undetected until late September, when Cox Enterprises observed suspicious activity and launched an internal investigation. On September 29, 2025, Cox officially became aware of the breach. Oracle released a patch for CVE-2025-61882 on October 5, 2025. On October 27, 2025, the Cl0p group added Cox Enterprises to its leak site and published the stolen data. By October 31, 2025, Cox determined that personal information was involved and began notifying affected individuals. Public disclosure and media coverage occurred between November 17 and November 22, 2025.

The campaign exploited a window of vulnerability lasting at least two months before a patch was available, underscoring the importance of rapid patch management for critical enterprise software.

Threat Activity

The threat activity in this incident was characterized by the exploitation of a zero-day vulnerability in Oracle E-Business Suite by the Cl0p ransomware group, associated with the FIN11 threat actor. The attackers gained initial access by exploiting CVE-2025-61882, which allowed remote, unauthenticated code execution. Once inside the environment, the attackers used automated tools to identify and exfiltrate large volumes of data, focusing on personally identifiable information.

The Cl0p group is known for its data theft and extortion tactics, often sending ransom demands to executives and threatening to publish stolen data if payment is not made. In this campaign, extortion emails were sent to Cox Enterprises executives in late September. After non-payment, the group published the stolen data on their leak site on October 27, 2025.

The campaign targeted a wide range of sectors, including technology, automotive, media, education, transportation, mining, professional services, wastewater, construction, insurance, financial, manufacturing, energy, and HVAC. This broad targeting reflects the widespread use of Oracle EBS in large organizations and the high value of data stored in ERP systems.

The technical attack chain mapped to the MITRE ATT&CK framework includes exploitation of public-facing applications (T1190), remote code execution (T1203), data collection from local systems (T1005), and exfiltration over command-and-control channels (T1041). While ransomware deployment (T1486) is a known tactic of Cl0p, in this incident the primary focus was on data theft and extortion.

Attribution to Cl0p and FIN11 is assessed with high confidence, based on the group’s public claim of responsibility, technical indicators matching their known TTPs, and corroboration from multiple independent sources. The group has a documented history of exploiting zero-day vulnerabilities in enterprise software for mass data theft and extortion.

Mitigation & Workarounds

The following mitigation and workaround recommendations are prioritized by severity:

Critical: Immediately apply all available security patches for Oracle E-Business Suite, especially those addressing CVE-2025-61882 and CVE-2025-61884. Organizations should verify that their Oracle EBS environments are fully updated and that no vulnerable instances are exposed to the internet. Reference: https://www.oracle.com/security-alerts/alert-cve-2025-61882.html

High: Conduct a comprehensive review of all systems for signs of compromise, focusing on indicators of unauthorized access, data exfiltration, and suspicious activity in Oracle EBS logs. Engage with cybersecurity experts to perform forensic analysis and ensure that any persistence mechanisms or backdoors are identified and removed.

High: Implement network segmentation and restrict external access to Oracle EBS and other critical enterprise applications. Ensure that only authorized users and systems can access sensitive environments, and enforce strong authentication and access controls.

Medium: Enhance monitoring and alerting for unusual activity in ERP systems, including large data transfers, unauthorized access attempts, and changes to user privileges. Deploy endpoint detection and response (EDR) solutions to improve visibility and response capabilities.

Medium: Provide security awareness training to employees, emphasizing the risks of phishing, social engineering, and extortion attempts. Ensure that executives and key personnel are aware of the tactics used by groups like Cl0p.

Low: Review and update incident response and business continuity plans to ensure readiness for future attacks targeting ERP platforms. Regularly test backup and recovery procedures to minimize the impact of potential data loss or system downtime.

Organizations should also consider enrolling affected individuals in credit monitoring and identity theft protection services, as offered by Cox Enterprises, to mitigate the risk of identity fraud resulting from exposed PII.

References

https://www.bleepingcomputer.com/news/security/cox-enterprises-discloses-oracle-e-business-suite-data-breach/ https://www.emeryreddy.com/blog/data-breach/cox-enterprises-inc-data-breach https://www.paubox.com/blog/cl0p-ransomware-gang-names-29-oracle-ebs-breach-victims https://www.oracle.com/security-alerts/alert-cve-2025-61882.html https://attack.mitre.org/techniques/T1190/ https://attack.mitre.org/techniques/T1203/ https://attack.mitre.org/techniques/T1005/ https://attack.mitre.org/techniques/T1041/ https://blackpointcyber.com/threat-profile/clop-ransomware/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks in their extended supply chain and vendor ecosystem. Our platform enables continuous monitoring of critical software dependencies, rapid detection of emerging vulnerabilities, and actionable insights for incident response and remediation planning. For questions or further information, contact us at ops@rescana.com.