Oracle has confirmed that some of its customers have received extortion emails and the software giant’s investigation indicates that the attackers may have exploited known vulnerabilities.
Google Threat Intelligence Group (GTIG) and Mandiant revealed this week that executives at many organizations using Oracle’s E-Business Suite (EBS) enterprise resource planning product have received emails claiming the theft of sensitive information.
GTIG and Mandiant researchers have yet to confirm the hackers’ claims, but pointed out that the extortion emails claim to come from members of the notorious Cl0p cybercrime group, and the messages have been sent from compromised accounts previously linked to another cybercrime gang tracked as FIN11.
Contacted by SecurityWeek, Oracle representatives pointed to a blog post published on Thursday by Rob Duhart, the software giant’s chief security officer.
Duhart said the company is aware that some E-Business Suite customers have received extortion emails.
“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update,” Duhart explained, without naming the potentially exploited flaws.
Oracle fixed roughly 200 vulnerabilities with its July 2025 CPU. Nine patches were released for E-Business Suite, including three for flaws that can be exploited remotely without authentication. These three vulnerabilities, all rated ‘medium severity’, are tracked as CVE-2025-30746, CVE-2025-30745 and CVE-2025-50107. Oracle’s advisory indicates that user interaction is required for their exploitation.
Three vulnerabilities fixed in July in E-Business Suite have been assigned a ‘high severity’ rating: CVE-2025-30743, CVE-2025-30744, and CVE-2025-50105. While they do not allow remote exploitation without authentication, their exploitation does not require user interaction.
If the involvement of Cl0p and/or FIN11 is confirmed, it should not come as a surprise. Both groups, which are linked, are known to launch campaigns that involve the exploitation of vulnerabilities in software that is used by many organizations to handle sensitive data.
Cl0p was behind campaigns targeting Cleo, MOVEit, and Fortra file transfer products. The FIN11 group was behind a campaign that targeted an Accellion file transfer service. All of these campaigns involved the exploitation of zero-day flaws.
Earlier this year, Oracle confirmed that hackers managed to steal data from a legacy cloud environment.
Related: CISA Issues Guidance After Oracle Cloud Hack
Related: Recent Fortra GoAnywhere MFT Vulnerability Exploited as Zero-Day
