Cox Enterprises Oracle E-Business Suite Zero-Day Breach

Cl0p ransomware operators launched a targeted campaign against Cox Enterprises by exploiting a critical zero‑day vulnerability in Oracle E‑Business Suite (Oracle EBS), tracked as CVE‑2025‑61882, which allowed remote, unauthenticated access to one of the company’s most sensitive back‑office platforms. The intrusion window ran roughly between 9 and 14 August 2025 and went undetected until late September, giving attackers ample time to systematically explore the Oracle EBS environment and exfiltrate data.
​Instead of prioritizing large‑scale encryption, Cl0p focused on data theft and extortion, quietly pulling sensitive records linked to 9,479 individuals from Cox’s Oracle EBS instance. Stolen data, believed to include personal identifiers and potentially HR and financial information, was later posted on Cl0p’s leak site after Cox did not meet ransom demands. Oracle released a patch for CVE‑2025‑61882 in early October, but by then multiple organizations had already been compromised as part of this broader Oracle EBS campaign.
​Cox has notified affected users and offered credit‑monitoring and identity‑theft protection services while strengthening monitoring and patching around Oracle EBS and related ERP assets. The case underscores how a single ERP zero‑day can become a global extortion vector, enabling supply‑chain‑style impact across telecom, media, automotive, and other sectors.