The MSG Data Breach Was the Symptom. Oracle EBS Was the Disease.

This report details a critical, actively exploited Oracle E-Business Suite zero-day (CVE-2025-61882, CVSS 9.8) abused by Cl0p to deploy custom multi-stage Java implants that persisted via servlet filters and database-stored XSL templates, enabling months-long data exfiltration across 100+ organizations (including MSG Entertainment, which had 131,070 people affected). It highlights the complex remediation timeline (including a separate CVE-2025-61884), the operational sophistication and scale of the campaign, the vendor-hosting and detection failures that produced a four-month discovery gap, extortion/leak activity, IOCs and hunting queries, and concrete mitigation recommendations for affected parties.