Oracle Corporation has officially acknowledged that cybercriminals are targeting customers of its E-Business Suite (EBS) platform through sophisticated extortion campaigns.
The company’s Chief Security Officer, Rob Duhart, confirmed that hackers have been exploiting previously identified vulnerabilities that were addressed in Oracle’s July 2025 Critical Patch Update (CPU).
This latest security incident underscores the persistent threat landscape facing enterprise applications and highlights the critical importance of timely security patch deployment.
Oracle E-Business Suite Customers Targeted
Bloomberg stated that the cybercriminal group, claiming affiliation with the notorious Cl0p ransomware organization, has been conducting a highly coordinated attack campaign against Oracle E-Business Suite installations.
According to cybersecurity firm Halcyon, the threat actors have demonstrated sophisticated tactics, techniques, and procedures (TTPs) by compromising user email accounts and exploiting default password-reset functions to obtain valid credentials for internet-facing Oracle EBS portals.
The attackers have provided victims with proof of compromise, including detailed screenshots and file tree structures demonstrating unauthorized access to sensitive corporate data.
In at least one documented case, the extortion demands reached as high as $50 million, representing one of the largest ransom demands observed in recent cybercriminal campaigns.
The threat actors began distributing extortion emails on or before September 29, 2025, using hundreds of compromised third-party email accounts to evade detection mechanisms.
Oracle’s E-Business Suite, which manages critical enterprise functions including financial management, supply chain operations, and customer relationship management (CRM), has become an attractive target due to its extensive deployment across large organizations.
The vulnerability exploitation appears to leverage previously identified security flaws that were patched in Oracle’s July 2025 Critical Patch Update, specifically addressing CVE identifiers related to authentication bypass and privilege escalation attacks.
Genevieve Stark, head of cybercrime at Google Threat Intelligence Group, confirmed that the extortion emails contain contact details matching those listed on Cl0p’s official dark web infrastructure.
The threat group’s modus operandi includes characteristic grammatical errors and linguistic patterns consistent with previous Cl0p operations, including their infamous 2023 MOVEit campaign that compromised over 3,000 organizations in the United States and 8,000 globally.
Oracle has reiterated its strong recommendation for the immediate deployment of the latest Critical Patch Updates, emphasizing that organizations maintaining current security patch levels significantly reduce their attack surface.
The company’s security advisory specifically references the July 2025 CPU, which addressed multiple high-severity vulnerabilities with CVSS scores ranging from 7.5 to 9.8, including remote code execution (RCE) and SQL injection attack vectors.
Organizations experiencing similar extortion attempts are advised to contact Oracle Support immediately while implementing incident response procedures, including network segmentation and the preservation of forensic data.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
