Urgent: Hackers Exploit Unpatched Oracle EBS Vulnerabilities

A significant security alert has been issued for users of Oracle’s E-Business Suite (EBS), with active exploitation of unpatched vulnerabilities now confirmed. Following an investigation, Oracle has acknowledged that certain clients have been targeted by hackers sending extortion emails. These messages claim that sensitive corporate data has been stolen from their EBS systems.

The Google Threat Intelligence Group initially flagged this malicious campaign, noting that executives at multiple organizations received these threatening communications. Rob Duhart, Chief Security Officer for Oracle Security, verified the situation in an official statement. He indicated that Oracle’s internal review points toward the abuse of security gaps that were already identified and for which fixes were made available.

Duhart emphasized that the specific weaknesses being leveraged were resolved in the July 2025 Critical Patch Update. He strongly urged all customers who have not yet done so to implement these patches immediately to protect their systems from compromise.

That particular patch update was a substantial one, addressing a total of 309 security flaws across Oracle’s extensive product portfolio. Within that large set, nine vulnerabilities were specifically related to the E-Business Suite. A concerning three of these are rated as critical, and another three can be exploited by attackers over the network without requiring any login credentials.

The following is the complete list of these nine E-Business Suite flaws, ordered from the most severe to the least severe.

(Source: Info Security)