Oracle Warns Known Flaws Fueling Recent Ransomware Attacks
▼ Summary
– Oracle confirmed some E-Business Suite customers received extortion emails, with attackers potentially exploiting known vulnerabilities.
– Google Threat Intelligence and Mandiant revealed executives received emails claiming data theft, possibly from the Cl0p or FIN11 cybercrime groups.
– Oracle’s investigation identified potential exploitation of vulnerabilities addressed in the July 2025 Critical Patch Update, though specific flaws weren’t named.
– The July 2025 patch fixed nine EBS vulnerabilities, including three remotely exploitable without authentication and three high-severity flaws not requiring user interaction.
– Cl0p and FIN11 have histories of exploiting zero-day vulnerabilities in widely used software for data theft campaigns.
Oracle has issued a warning that known vulnerabilities in its software are being actively exploited in a wave of ransomware attacks targeting its customers. The company confirmed that several users of its Oracle E-Business Suite (EBS) have received extortion emails, with an ongoing investigation pointing toward the abuse of security flaws that were already identified and patched.
According to findings from Google Threat Intelligence Group and Mandiant, executives at multiple organizations using EBS have been sent messages alleging that sensitive company data was stolen. While researchers have not yet verified the hackers’ claims, the emails appear to originate from members of the Cl0p ransomware group. These messages were sent from compromised email accounts previously associated with another cybercrime syndicate tracked as FIN11.
Rob Duhart, Oracle’s chief security officer, stated in a recent blog post that the company is aware of the extortion campaign. He noted that the investigation suggests attackers may have leveraged vulnerabilities that were resolved in Oracle’s July 2025 Critical Patch Update. Duhart did not specify which particular flaws were involved.
The July 2025 update from Oracle included fixes for nearly 200 security issues. Among these, nine patches were released specifically for E-Business Suite. Three of the patched vulnerabilities, CVE-2025-30746, CVE-2025-30745, and CVE-2025-50107, were rated as medium severity and could be exploited remotely without requiring authentication, though user interaction was necessary. Additionally, three high-severity vulnerabilities, CVE-2025-30743, CVE-2025-30744, and CVE-2025-50105, were also patched. While these could not be exploited remotely without authentication, they did not require any user interaction to be leveraged by attackers.
Should the involvement of Cl0p or FIN11 be confirmed, it would align with their established tactics. Both groups, which are known to be connected, have a history of launching attacks that exploit vulnerabilities in widely used enterprise software. Cl0p has previously been linked to major campaigns targeting file transfer products from Cleo, MOVEit, and Fortra. Similarly, FIN11 was responsible for an attack on an Accellion file transfer service. In each of these incidents, the groups successfully weaponized zero-day vulnerabilities.
This recent incident follows an earlier security event this year in which Oracle acknowledged that hackers had stolen data from a legacy cloud environment. The recurrence of such attacks underscores the persistent threat posed by cybercriminal groups targeting enterprise software platforms.
(Source: Security Week)
