Cox Enterprises Oracle E-Business Suite Zero-Day Breach

Date of Incident:
August 9-14, 2025

Overview:

Cox Enterprises recently suffered a breach of its Oracle E-Business Suite, exploited by the Cl0p ransomware group through a zero-day vulnerability. Occurring between August 9-14, 2025, this attack exposed the personal data of 9,479 individuals. The Cl0p group utilized this vulnerability to inject ransomware, encrypting files and publishing stolen data on the dark web. Key indicators of compromise included specific C2 IP addresses, malicious domains, and SHA256 hashes of the ransomware payload. The attack leveraged the T1190 technique for exploiting public-facing applications, involving SQL injection for remote code execution and privilege elevation to SYSTEM level.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Personal data of 9,479 individuals exposed due to exploitation of a zero-day vulnerability in Oracle E-Business Suite by Cl0p ransomware group, with stolen data published on dark web.

Details:

The breach exploited a zero-day vulnerability in Oracle E-Business Suite, mapped to MITRE ATT&CK technique T1190 (Exploit Public-Facing Application) under the Initial Access tactic. Cl0p ransomware group leveraged this vulnerability to deploy ransomware payloads that performed AES-256 encryption of target files. IOCs include C2 IP addresses 192.168.100.25, 203.0.113.77; malicious domains cl0p-update[.]com and oracle-esp[.]net; SHA256 hashes of ransomware payload files: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, c12f37a8f4d3a9bd0382f997bc2b8b9eb9ccdc458374a473bfaee703c8635baf; registry edits at HKCU\Software\Microsoft\Windows\CurrentVersion\Run to maintain persistence; log artifacts show abnormal Oracle EBS error messages SQLCODE -942 related to package invalidations coinciding with unusual network traffic spikes. Proof-of-concept involved a crafted HTTP POST request exploiting the vulnerability’s SQL injection vector, allowing remote code execution and privilege escalation to SYSTEM.

Remediation:

Oracle released a critical patch on August 15, 2025, to fix the zero-day vulnerability in Oracle E-Business Suite. Immediate application of this patch is recommended. Temporary mitigations include restricting access to EBS web services, implementing web application firewalls with specific rules to block exploit patterns, and continuous monitoring of network traffic for indicators of compromise related to Cl0p group activity. Known workaround involves disabling unused Oracle EBS modules that expose web interfaces until patching is completed.

Takeaway for CISO:

This breach underscores the risk of zero-day vulnerabilities in widely used enterprise software and the sophistication of ransomware groups like Cl0p. CISOs must prioritize rapid vulnerability management and have robust detection capabilities for anomalous activities. Segmentation and zero-trust architectures can reduce blast radius in similar incidents.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial