Canon has formally confirmed that it was focused in the course of the widespread hacking marketing campaign exploiting a essential zero-day vulnerability in Oracle E-Enterprise Suite (EBS).
The assault, orchestrated by the infamous Clop ransomware gang, has impacted dozens of main organizations worldwide. The group listed Canon on its darkish internet leak web site, publishing the corporate’s area alongside different alleged victims.
Whereas the itemizing on the leak web site raised issues a few huge information breach, Canon clarified that the affect was contained. The digital camera and imaging big acknowledged that the compromise affected solely a particular atmosphere inside one among its subsidiaries.
In keeping with the corporate, the attackers didn’t encrypt the broader community or disrupt international operations, which distinguishes this incident from the devastating Maze ransomware assault Canon suffered in 2020.
Canon’s safety group detected the intrusion and instantly remoted the affected programs. In an announcement shared with SecurityWeek, the corporate emphasised that the breach didn’t unfold past an online server operated by a Canon U.S.A., Inc. subsidiary.
The fast containment doubtless prevented the theft of delicate buyer information or mental property, which the Clop group typically seeks for extortion.
“We’ve got confirmed that the incident solely affected the net server, and now we have already taken safety measures and resumed service,” Canon mentioned. “As well as, we’re persevering with to research additional to make sure that there isn’t a different affect”.
The Oracle EBS Zero-Day Exploit
The vulnerability used on this marketing campaign is tracked as CVE-2025-61882, a essential safety flaw in Oracle E-Enterprise Suite. This zero-day allowed unauthenticated attackers to execute arbitrary code remotely on susceptible servers.
Safety researchers found that Clop associates, tracked as Swish Spider, started exploiting this flaw as early as August 2025 to plant internet shells and exfiltrate information earlier than Oracle may difficulty a patch in October.
DetailDescriptionCVE IDCVE-2025-61882CVSS Score9.8 (Vital)Affected ProductOracle E-Enterprise Suite (EBS)Affected Versions12.2.3 by means of 12.2.14Vulnerability TypeUnauthenticated Distant Code Execution (RCE)Exploit VectorNetwork (No person interplay required)
This incident is an element of a bigger “move-it-style” extortion wave the place Clop leveraged the zero-day to breach almost 30 organizations. As a substitute of deploying encryption malware instantly, the group targeted on information theft and subsequently despatched extortion emails to executives beginning in late September 2025.
These emails threatened to leak stolen paperwork until a ransom was paid. The group’s leak web site at the moment lists domains, together with Canon, suggesting these entities had been efficiently compromised in the course of the automated exploitation section.
Indicators of Compromise (IoCs)
Indicator TypeValueDescriptionIPv4 Address200.107.207.26Malicious command and management (C2) IPIPv4 Address185.181.60.11Observed exploitation supply IPSHA256 Hash76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235dMalicious zip archive containing exploit toolsSHA256 Hash6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1bPython script used for server-side exploitationFile NameFileUtils.javaMalicious internet shell downloader
Safety groups are suggested to scan their Oracle EBS environments for these indicators and apply the official patches instantly to forestall additional unauthorized entry.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
