Data Breaches

Oracle Says Known Vulnerabilities Possibly Exploited in Recent Extortion Attacks

The software giant’s investigation showed that vulnerabilities patched in July 2025 may be involved.

Oracle E-Business Suite hack

Oracle has confirmed that some of its customers have received extortion emails and the software giant’s investigation indicates that the attackers may have exploited known vulnerabilities.

Google Threat Intelligence Group (GTIG) and Mandiant revealed this week that executives at many organizations using Oracle’s E-Business Suite (EBS) enterprise resource planning product have received emails claiming the theft of sensitive information.

GTIG and Mandiant researchers have yet to confirm the hackers’ claims, but pointed out that the extortion emails claim to come from members of the notorious Cl0p cybercrime group, and the messages have been sent from compromised accounts previously linked to another cybercrime gang tracked as FIN11.

Contacted by SecurityWeek, Oracle representatives pointed to a blog post published on Thursday by Rob Duhart, the software giant’s chief security officer.

Duhart said the company is aware that some E-Business Suite customers have received extortion emails. 

“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update,” Duhart explained, without naming the potentially exploited flaws.

Advertisement. Scroll to continue reading.

Oracle fixed roughly 200 vulnerabilities with its July 2025 CPU. Nine patches were released for E-Business Suite, including three for flaws that can be exploited remotely without authentication. These three vulnerabilities, all rated ‘medium severity’, are tracked as CVE-2025-30746, CVE-2025-30745 and CVE-2025-50107. Oracle’s advisory indicates that user interaction is required for their exploitation. 

Three vulnerabilities fixed in July in E-Business Suite have been assigned a ‘high severity’ rating: CVE-2025-30743, CVE-2025-30744, and CVE-2025-50105. While they do not allow remote exploitation without authentication, their exploitation does not require user interaction. 

If the involvement of Cl0p and/or FIN11 is confirmed, it should not come as a surprise. Both groups, which are linked, are known to launch campaigns that involve the exploitation of vulnerabilities in software that is used by many organizations to handle sensitive data. 

Cl0p was behind campaigns targeting Cleo, MOVEit, and Fortra file transfer products. The FIN11 group was behind a campaign that targeted an Accellion file transfer service. All of these campaigns involved the exploitation of zero-day flaws. 

Earlier this year, Oracle confirmed that hackers managed to steal data from a legacy cloud environment.

Related: CISA Issues Guidance After Oracle Cloud Hack

Related: Recent Fortra GoAnywhere MFT Vulnerability Exploited as Zero-Day 

Related: 1.2 Million Impacted by WestJet Data Breach

Related Content

Vulnerabilities

Oracle has released its June 2026 Critical Security Patch Update to fix vulnerabilities in Communications, EBS, Enterprise Manager and other products.

Cybercrime

Oracle has mitigated CVE-2026-35273, but it has not publicly confirmed the vulnerability’s in-the-wild exploitation.

Vulnerabilities

Oracle has released mitigations for CVE-2026-35273, but it has not said whether it’s a zero-day exploited in ShinyHunters attacks.

Vulnerabilities

The vulnerability is CVE-2024-21182 and it can be exploited without authentication to hack affected WebLogic servers.

Vulnerabilities

Oracle’s monthly Critical Security Patch Update (CSPU) rollouts are meant to deliver critical fixes faster.

Vulnerabilities

Containing fixes for critical-severity vulnerabilities, the monthly rollouts will focus on addressing priority issues faster.

Vulnerabilities

The company released 481 new security patches across 28 product families, including over 300 fixes for remotely exploitable, unauthenticated flaws.

Data Breaches

The Lapsus$ hackers allegedly compromised internal code repositories, credentials, and employee data.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version