Cl0p Exploited an Oracle Zero Day for Months Before Anyone Noticed—Michelin Is Just the Latest Victim

A Familiar Playbook With a New Target

Cl0p has perfected a particular kind of cyberattack. The group identifies a zero day vulnerability in widely deployed enterprise software, exploits it at scale before the vendor can issue a patch, and then uses the stolen data as leverage for extortion. It worked with Accellion in 2021. It worked with GoAnywhere in early 2023. It worked spectacularly with MOVEit in mid 2023. And now, it has worked again with Oracle E-Business Suite.

In August 2025, Cl0p began exploiting CVE-2025-61882, a critical zero day vulnerability in Oracle EBS, a sprawling enterprise resource planning platform used by thousands of large organizations worldwide for financial management, supply chain operations, and human resources. The attackers moved methodically through vulnerable systems, exfiltrating data without deploying ransomware or causing any obvious disruption. The victims had no idea they had been compromised.

It was not until late September 2025 that extortion emails began arriving in victims' inboxes. By that point, Cl0p had already harvested what it needed.

What Happened at Michelin

Michelin, the French tire manufacturer and one of the largest industrial companies in the world, confirmed in early 2026 that it was among the organizations affected by the Oracle EBS campaign. Cl0p listed Michelin on its extortion site, claiming to possess more than 315 gigabytes of stolen files from the company.

Michelin's public response was measured. The company stated that the breach involved a "small, localized volume" of data and that it contained "no sensitive or technical IT information." Michelin did not elaborate on what categories of data were taken, but the company's characterization suggests it is pushing back against the narrative that the breach was catastrophic.

Whether 315 gigabytes qualifies as a "small, localized volume" is a matter of perspective. For context, that is roughly equivalent to 30 million pages of documents. Even if the stolen files do not include trade secrets or system credentials, a dataset of that size almost certainly contains internal business records, employee information, or operational data that could be valuable to competitors or useful for further attacks.

Pure Extortion, No Ransomware

One of the defining features of Cl0p's recent campaigns is the absence of traditional ransomware. The group did not encrypt Michelin's systems. It did not lock anyone out of their files. It did not cause any operational disruption at all. Instead, it simply took the data and then contacted the victim with a demand: pay us, or we publish everything.

This approach is deliberate. Ransomware draws immediate attention. It triggers incident response teams, law enforcement notifications, and media coverage in real time. Data theft, on the other hand, can go undetected for weeks or months, giving the attackers time to compromise additional targets before anyone raises an alarm.

The shift toward pure data extortion also changes the calculus for victims. When ransomware locks down operations, the pressure to pay comes from the need to resume business. When the threat is data publication, the pressure comes from reputational damage, regulatory consequences, and potential lawsuits. It is a different kind of leverage, but for many organizations it is equally effective.

The Scale of the Oracle EBS Campaign

Michelin is far from the only victim. Security researchers estimate that over 100 companies were affected by Cl0p's exploitation of CVE-2025-61882. The campaign followed the same pattern as MOVEit: identify a vulnerability in software that sits at the heart of enterprise operations, exploit it at mass scale, and then methodically extort each victim individually.

Oracle E-Business Suite was an ideal target. It is used by large enterprises across every industry, often managing some of the most sensitive data in the organization: financial records, payroll information, procurement contracts, and supplier details. Many deployments are on premise and run versions that lag behind the latest patches by months or even years.

Google's Threat Intelligence team published a detailed analysis of the campaign, noting that Cl0p's operators demonstrated sophisticated knowledge of the Oracle EBS architecture. The attackers knew exactly where to look for high value data and how to extract it without triggering the kinds of alerts that would normally flag large scale data transfers.

Cl0p's Pattern of Zero Day Mass Exploitation

What makes Cl0p particularly dangerous is not its technical sophistication alone, but its operational discipline. The group stockpiles zero day vulnerabilities and waits for the right moment to deploy them. It invests in understanding enterprise software architectures at a level that allows it to move through target environments with precision. And it scales its attacks to hit dozens or hundreds of organizations simultaneously, ensuring that by the time one victim discovers the breach and alerts others, the campaign is already complete.

The MOVEit campaign in 2023 compromised over 2,500 organizations and exposed the personal data of more than 90 million individuals. The GoAnywhere campaign earlier that year hit over 130 organizations. The Oracle EBS campaign, with its estimated 100+ victims, fits neatly into this pattern. Cl0p is not an opportunistic group launching phishing attacks and hoping for the best. It operates more like a venture with a pipeline of exploits and a systematic process for monetizing them.

What Enterprises Should Take Away

The Oracle EBS campaign reinforces several lessons that security teams already know but often struggle to implement. First, internet facing enterprise applications need continuous monitoring for unusual data access patterns, not just perimeter defenses. Cl0p did not need to deploy malware or establish persistent backdoors. It exploited a legitimate application and extracted data through channels that looked normal at a glance.

Second, patch management for on premise enterprise software remains one of the hardest problems in cybersecurity. Oracle EBS deployments are complex, often customized, and expensive to update. Many organizations run versions that are multiple patches behind because testing and deploying updates in an EBS environment can take weeks. Attackers like Cl0p exploit exactly this gap between vulnerability disclosure and patch deployment.

Third, data loss prevention tools and network monitoring need to be calibrated to detect slow, low volume exfiltration. Cl0p has demonstrated repeatedly that it can extract hundreds of gigabytes of data without tripping alarms. If an organization's detection strategy is built around catching fast, noisy attacks, it will miss the quiet ones entirely.

Michelin's breach may ultimately prove to be a contained incident with limited fallout, as the company suggests. But the broader campaign is a warning. Cl0p will find another zero day. It will target another widely deployed enterprise platform. And the organizations that have not invested in monitoring their most critical systems for subtle signs of compromise will once again learn about the breach from an extortion email, not from their own security tools.