Oracle Confirms Extortion Campaign Targeting Customers Due to EBS Flaw Fixed in July
Published on October 3, 2025
- Extortion confirmed: Oracle has verified that customers of its E-Business Suite products are receiving extortion emails from hackers.
- Hacker claims: The attackers, linked to the Cl0p ransomware group, claim to have stolen data by exploiting software vulnerabilities.
- Oracle's response: The company is urging customers to apply the July 2025 Critical Patch Update to mitigate risks.
Oracle has officially confirmed that its E-Business Suite customers are being targeted in an extortion campaign, validating an earlier warning from Google. The attackers are sending emails to corporate executives, claiming to have exfiltrated sensitive data and threatening its release unless a ransom is paid.
The scale of the campaign and the high-profile nature of the targets present significant cybersecurity threats to organizations utilizing Oracle's widely adopted business software.
Attributed to Cl0p Ransomware Group
The campaign has been linked to the Cl0p ransomware group, a well-known Russia-linked or Russian-speaking cybercriminal organization, described by Trend Micro researchers as a "trendsetter" in the ransomware-as-a-service (RaaS) space.
In a message to Reuters, the group made a cryptic statement about Oracle, saying the company had "bugged up," but did not provide details.
Google confirmed the group behind the “high-volume” attacks is claiming an affiliation with the notorious ransomware gang Cl0p. The threat actor was linked to the Cleo hack incident last year.
Exploitation of E-Business Suite Vulnerabilities
In response, Oracle has acknowledged that its investigation points to the potential exploitation of previously identified Oracle E-Business Suite (EBS) vulnerabilities. The company has strongly urged its customers to apply the latest security updates.
It contains nine new security patches for Oracle E-Business Suite, three of which may be remotely exploitable without authentication.
While Oracle has not specified the number of clients affected by the extortion emails, the public confirmation underscores the severity of the threat.
This incident serves as a critical reminder for all enterprise software users to maintain rigorous patch management protocols to defend against such attacks. A September Bugcrowd analysis reported a surge in hardware and network vulnerability exploits in 2025.
In mid-September, ByteToBreach claimed to have extracted approximately 380 gigabytes of user data from an Oracle database, compromising one of Avatel's Azure servers, a Spanish telco.
In August, Oracle announced that one of its “legacy” computer systems had been breached, and “old” client login credentials were compromised.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular