Leak at Michelin
In November 2025, the Cl0p extortion gang listed French tyre maker Michelin on its leak site, claiming to have stolen internal manufacturing, engineering, supply-chain, financial and HR files via the Oracle E-Business Suite zero-day (CVE-2025-61882).
- Victim
- Michelin
On 20 November 2025, Michelin β the French multinational tyre manufacturer headquartered in Clermont-Ferrand β was added to the leak site of the Cl0p extortion group, which claimed to have stolen large volumes of the company's internal corporate data and threatened to publish it unless contacted.
The intrusion is attributed to Cl0p's mass campaign exploiting a zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61882), a critical flaw (CVSS 9.8) allowing unauthenticated remote code execution over HTTP. Cl0p ran a broad scanning-and-exfiltration operation against vulnerable Oracle EBS deployments and named dozens of victims β including Michelin, Canon, Mazda and EstΓ©e Lauder β in the same wave. This was a data-theft extortion play rather than file encryption.
The data Cl0p claims to have exfiltrated reportedly spans several categories of confidential corporate material:
- Manufacturing and production documentation
- Engineering and R&D files (technical reports, CAD drawings, simulation data)
- Supply-chain and procurement records (supplier agreements, pricing)
- Logistics and distribution documentation
- Financial and corporate records
- HR and personnel data
As of disclosure, Cl0p had not released sample files and no record count was confirmed, so the scope of the theft remains claimed but unverified. The matter is unresolved, with the data still listed under extortion and no public Michelin settlement reported.
Sources
- botcrawl.comhttps://botcrawl.com/michelin-data-breach/
- dexpose.iohttps://www.dexpose.io/clop-ransomware-hits-french-tyre-giant-michelin/
- ransomware.livehttps://www.ransomware.live/id/TUlDSEVMSU4uQ09NQGNsb3A=
- socradar.iohttps://socradar.io/blog/cl0p-oracle-ebs-zeroday-campaign/