Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Oracle. Show all posts
Vulnerabilities and Exploits
CISA E-Business Suite Oracle SSR Flaw Vulnerabilities and Exploits

Critical Oracle Suite Flaw Actively Exploited; CISA Orders Urgent Patch

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that attackers are actively exploiting a critical server-side request forgery (SSRF) vulnerability, CVE-2025-61884, in Oracle E-Business Suite's Configurator runtime component. Federal agencies have been directed to patch this flaw by November 10, 2025, as it is now listed in CISA’s Known Exploited Vulnerabilities catalog.

CVE-2025-61884, which carries a severity rating of 7.5, allows attackers to gain unauthorized access to sensitive data or even full access to all Oracle Configurator data. The vulnerability was first disclosed by Oracle on October 11, 2025, but the company did not initially confirm exploitation, despite evidence that the exploit was leaked by threat actors ShinyHunters and Scattered Lapsus$ in July. The patch fixes the SSRF flaw by validating the "return_url" parameter provided by attackers, blocking malicious requests if validation fails.

In early October, cybersecurity firm Mandiant disclosed that the Clop ransomware group had been extorting organizations using Oracle E-Business Suite zero-day flaws. Oracle responded by stating that Clop had exploited vulnerabilities patched in July. On October 3, ShinyHunters leaked an exploit for Oracle EBS, which was later linked to Clop. Oracle then disclosed CVE-2025-61882, which was unrelated and was patched for August attacks that targeted the /OA_HTML/SyncServlet endpoint.

Investigations by CrowdStrike and Mandiant revealed two distinct campaigns: the July campaign exploited the SSRF flaw in /configurator/UiServlet (CVE-2025-61884), while the August campaign targeted the /OA_HTML/SyncServlet endpoint, now fixed under CVE-2025-61882. The ShinyHunters exploit leaked earlier targets the UiServlet SSRF chain, not the SyncServlet flaw.

There is confusion about why Oracle listed the ShinyHunters exploit as an indicator of compromise for CVE-2025-61882 instead of CVE-2025-61884, despite evidence pointing to the latter. Oracle has not responded to media inquiries regarding this discrepancy or the status of CVE-2025-61882 as exploited. This incident highlights the ongoing risk to organizations using Oracle E-Business Suite and underscores the urgency of timely patching and robust vulnerability management.
Read more »
zero-day
Clop Ransomware Extortion Campaign Oracle Vulnerabilities and Exploits zero-day

Clop Ransomware Exploits Oracle Zero-Day in Major Extortion Campaign

 

The Clop ransomware gang has orchestrated a massive extortion campaign targeting Oracle E-Business Suite customers by exploiting a critical zero-day vulnerability tracked as CVE-2025-61882. The vulnerability, which carries a CVSS score of 9.8, affects Oracle EBS versions 12.2.3 through 12.2.14 and allows unauthenticated remote code execution without requiring credentials.

Beginning September 29, 2025, Clop operatives sent high-volume extortion emails to executives at numerous organizations, claiming to have stolen sensitive data from their Oracle EBS environments. However, investigations by Google Threat Intelligence Group and Mandiant revealed that active exploitation began much earlier—as early as August 9, 2025, with suspicious activity dating back to July 10, 2025. This means attackers exploited the vulnerability weeks before Oracle released a patch on October 4, 2025.

The vulnerability affects the Concurrent Processing component's BI Publisher integration within Oracle EBS, allowing attackers to execute arbitrary code and gain complete control over compromised servers. Researchers identified multiple distinct exploitation chains targeting various EBS components, including UiServlet and SyncServlet modules. The most probable attack vector involved the SyncServlet module, where attackers injected malicious XSL files into databases via the XDO Template Manager to trigger remote code execution.

The campaign involved sophisticated multi-stage malware frameworks, including GOLDVEIN.JAVA downloader and the SAGE malware family. These tools closely resemble malware families deployed during Clop's previous Cleo software compromise in late 2024, strengthening attribution to the notorious cybercrime group. Attackers successfully exfiltrated significant amounts of data from impacted organizations, affecting dozens of victims according to current assessments.

Clop, also known as TA505 or FIN11, has been active since 2019 and maintains a track record of exploiting zero-day vulnerabilities in enterprise platforms. The group previously targeted Accellion FTA, SolarWinds Serv-U FTP, GoAnywhere MFT, MOVEit Transfer, and Cleo file transfer systems. This latest campaign demonstrates Clop's continued focus on rapid zero-day exploitation of critical enterprise software for large-scale data extortion operations.

Oracle issued an emergency security alert on October 4, 2025, urging customers to apply the patch immediately. The FBI characterized the zero-day as "an emergency putting Oracle E-Business Suite environments at risk of full compromise". CISA added CVE-2025-61882 to its Known Exploited Vulnerabilities catalog and issued urgent alerts regarding active exploitation for ransomware attacks worldwide.
Read more »
Passwords
Cloud Service Data Breach Oracle Passwords

Oracle Faces Data Leak Claims, Clarifies Cloud Services Remain Safe

 



Oracle has informed its users that a recent cyberattack only affected two outdated servers that are no longer in use. These systems were separate from Oracle’s main cloud services, and the company says that no active customer data or cloud-based accounts were harmed.

In the notice sent to its customers, Oracle clearly stated that its main cloud service, known as Oracle Cloud Infrastructure (OCI), was not targeted or accessed by attackers. They reassured users that no data was viewed, taken, or misused, and there was no interruption in cloud operations.

According to Oracle, the stolen information included usernames from older systems. However, passwords stored on those servers were either scrambled or secured in such a way that they could not be used to break into any accounts. As a result, the hackers were not able to reach any customer platforms or data.

The incident first came to public attention when a hacker began selling what they claimed were millions of user records on an online cybercrime marketplace. Oracle has been under pressure since then to confirm whether or not its systems were breached. While the company continues to deny that their modern cloud platform was affected, cybersecurity experts say that the older systems— though no longer active - were once part of Oracle’s cloud services under a different name.

Some security specialists have criticized Oracle’s choice of words, saying the company is technically correct but still avoiding full responsibility by referring to the older system as separate from its current services.

Reports suggest that the hackers may have broken into these old systems as early as January 2025. The intruders allegedly installed harmful software, allowing them to collect data such as email addresses, usernames, and coded passwords. Oracle described the stolen data as outdated, but some of the records being shared online are from late 2024 and early 2025.

This comes shortly after another reported incident involving Oracle’s healthcare division, formerly called Cerner. That breach affected hospitals in the U.S., and a hacker is now reportedly demanding large payments to prevent the release of private medical information.

Even though Oracle insists its main cloud platform is secure, these incidents raise questions about how clearly companies communicate data breaches. Users who are concerned have been advised to reach out to Oracle’s support team for more information.


Read more »
Passwords
Cyber Security Login Credentials Oracle Passwords

Hacker Claims Oracle Cloud Breach, Threatens to Leak Data

 



A hacker who goes by the name “Rose87168” is claiming to have broken into Oracle Cloud systems and is now threatening to release or sell the data unless their demands are met. According to security researchers, this person says they’ve gained access to information from over 140,000 accounts, with a total of 6 million records.

Oracle has not confirmed that any such breach took place. At first, the company denied the claims. Since then, they’ve chosen not to respond to questions about the situation. However, cybersecurity experts are beginning to find signs that support the hacker’s story.

One group of researchers believes that the attack may have happened through a flaw in how users log in. They suggest that the hacker may have found a hidden security weakness or a problem in Oracle's login system, which let them get in without needing a password. This could be tied to a previously reported vulnerability in Oracle’s software, which has been labeled a high risk by experts. That earlier issue allowed anyone with internet access to take over accounts if not fixed.

The hacker claims the stolen material includes sensitive information like login credentials, passwords for internal systems, and private security keys. These are all crucial for keeping accounts and data secure. If leaked, this information could lead to unauthorized access to many companies’ services and customer details.

Researchers have examined some of the data provided by the hacker and say it appears to be genuine. Another security group, Trustwave SpiderLabs, also looked into the case. They confirmed that the hacker is now offering the stolen data for sale and allowing buyers to choose what they want to purchase based on specific details, like company names or encrypted passwords.

Experts from both teams say the evidence strongly suggests that the breach is real. However, without a statement from Oracle, nothing is officially confirmed.

This situation is a reminder of how critical it is for companies to keep their systems up to date and to act quickly when possible flaws are discovered. Businesses that use cloud services should check their security settings, limit unnecessary access, and apply all software updates as soon as they are available.

Staying alert and following good cybersecurity habits can reduce the chances of being affected by incidents like this.


Read more »
User Data
Data Breach Data Leak Oracle Oracle Cloud User Data

Oracle Cloud Confirms Second Hack in a Month, Client Log-in Data Stolen

 

Oracle Corporation has warned customers of a second cybersecurity incident in the last month, according to Bloomberg News. A hacker infiltrated an older Oracle system and stole login credentials from client accounts, some of which date back as recently as 2024. 

The tech company reportedly informed clients that an attacker had gained access to a legacy environment—a system that had not been in active operation for roughly eight years. Although Oracle told clients that the environment had been dormant, the data retrieved included valid login credentials, which might pose a security concern, especially if users had not updated or deleted their accounts. 

This follows a prior hack last month, in which an anonymous individual attempted to sell stolen Oracle data online, prompting internal investigations. That incident, too, involved data stolen from Oracle's cloud servers in Austin, Texas. 

The FBI and cybersecurity firm CrowdStrike Holdings are presently looking into the most recent incident, Oracle informed some of its clients. According to individuals who spoke to Bloomberg, the attacker is thought to have demanded an extortion payment. Interestingly, Oracle has declared that there is no connection between the two incidents. 

According to the firm, this breach occurred due to an outdated, dormant system, whereas the previous one affected specific clients in the healthcare sector. Oracle has not yet released a statement to the public, but according to Reuters, the company told customers directly and stressed that the impact is minimal because of how old the system in question is. 

Last month, Oracle also notified clients last month of a compromise at the software-as-a-service (SaaS) company Oracle Health (formerly Cerner), which affected many healthcare organisations and hospitals in the United States.

Even though the company has not publicly reported the event, threat analysts confirmed that patient data was stolen during the attack, as evidenced by private contacts between Oracle Health and impacted clients, as well as talks with people involved. Oracle Health reported that the breach of legacy Cerner data transfer servers occurred on February 20, 2025, and that the perpetrators accessed the systems using compromised client credentials after January 22, 2025.
Read more »
Zero-day Flaw
Data Breach Data Leak Oracle User Privacy Zero-day Flaw

Oracle Finally Acknowledges Cloud Hack

 

Oracle is reportedly trying to downplay the impact of the attack while quietly acknowledging to clients that some of its cloud services have been compromised. 

A hacker dubbed online as 'rose87168' recently offered to sell millions of lines of data reportedly associated with over 140,000 Oracle Cloud tenants, including encrypted credentials. The hacker initially intended to extort a $20 million ransom from Oracle, but eventually offered to sell the data to anyone or swap it for zero-day vulnerabilities.

The malicious actor has been sharing a variety of materials to support their claims, such as a sample of 10,000 customer data records, a link to a file demonstrating access to Oracle cloud systems, user credentials, and a long video that seems to have been recorded during an internal Oracle meeting.

However, Oracle categorically denied an Oracle Cloud hack after the hacker's claims surfaced, stating, "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”

However, multiple independent reports suggest Oracle privately notified concerned customers and confirmed a data incident. On the other hand, specifics remain unclear, and there appears to be some conflicting information. 

Bloomberg has learned from people familiar with the matter that Oracle has started privately informing users of a data leak involving usernames, passkeys and encrypted passwords. The FBI and CrowdStrike are reportedly investigating the incident.

Security firm CyberAngel learned from an unknown source that ‘Gen 1’ cloud servers were attacked — newer ‘Gen 2’ servers were not — that the exposed material is at least 16 months old and does not include full private details. 

“Our source, who we are not naming as requested, is reporting that Oracle has allegedly determined an attacker who was in the shared identity service as early as January 2025,” Cyber Angel said. “This exposure was facilitated via a 2020 Java exploit and the hacker was able to install a webshell along with malware. The malware specifically targeted the Oracle IDM database and was able to exfil data.” 

“Oracle allegedly became aware of a potential breach in late February and investigated this issue internally,” it added. “Within days, Oracle reportedly was able to remove the actor when the first demand for ransom was made in early March.” 

Following the story, cybersecurity expert Kevin Beaumont discovered from Oracle cloud users that the tech firm has simply verbally notified them; no written notifications have been sent. According to Beaumont, "Gen 1" servers might be a reference to Oracle Classic, the moniker for earlier Oracle Cloud services. Oracle is able to deny that Oracle Cloud was compromised thanks to this "wordplay," as Beaumont refers to it.
Read more »
Web Services
AI tools Artificial Intelligence Chatbots Cyber Security Healthcare Data Oracle Web Services

Oracle and Cohere Collaborate for New Gen AI Service

 

During Oracle's recent earnings call, company founder Larry Ellison made an exciting announcement, confirming the launch of a new generation AI service in collaboration with Cohere. This partnership aims to deliver powerful generative AI services for businesses, opening up new possibilities for innovation and advanced applications.

The collaboration between Oracle and Cohere signifies a strategic move by Oracle to enhance its AI capabilities and offer cutting-edge solutions to its customers. With AI playing a pivotal role in transforming industries and driving digital transformation, this partnership is expected to strengthen Oracle's position in the market.

Cohere, a company specializing in natural language processing (NLP) and generative AI models, brings its expertise to the collaboration. By leveraging Cohere's advanced AI models, Oracle aims to empower businesses with enhanced capabilities in areas such as text summarization, language generation, chatbots, and more.

One of the key highlights of this collaboration is the potential for businesses to leverage the power of generative AI to automate and optimize various processes. Generative AI has the ability to create content, generate new ideas, and perform complex tasks, making it a valuable tool for organizations across industries.

The joint efforts of Oracle and Cohere are expected to result in the development of state-of-the-art AI models that can revolutionize how businesses operate and innovate. By harnessing the power of AI, organizations can gain valuable insights from vast amounts of data, enhance customer experiences, and streamline operations.

This announcement comes in the wake of Oracle's recent acquisition of Cerner, a healthcare technology company, further solidifying Oracle's commitment to revolutionizing the healthcare industry through advanced technologies. The integration of AI into healthcare systems holds immense potential to improve patient care, optimize clinical processes, and enable predictive analytics for better decision-making.

As the demand for AI-powered solutions continues to rise, businesses are seeking comprehensive platforms that can deliver sophisticated AI services. With Oracle and Cohere joining forces, organizations can benefit from an expanded suite of AI tools and services that can address a wide range of industry-specific challenges.

The collaboration between Oracle and Cohere highlights the growing importance of AI in driving innovation and digital transformation across industries. As businesses increasingly recognize the value of AI, partnerships like this one are crucial for pushing the boundaries of what AI can achieve and bringing advanced capabilities to the market.

The partnership between Oracle and Cohere signifies a significant step forward in the realm of AI services. The collaboration is expected to deliver powerful generative AI solutions that can empower businesses to unlock new opportunities and drive innovation. With Oracle's expertise in enterprise technology and Cohere's proficiency in AI models, this collaboration holds great promise for businesses seeking to leverage the full potential of AI in their operations and strategies.
Read more »
Vulnerabilities and Exploits
Cloud Data Cloud Security cloud storage Exploits Oracle Vulnerabilities and Exploits

Vulnerability in OCI Could Have Put the Data of Customers Exposed to the Attacker

 

A vulnerability called 'AttatchMe', discovered by a Wiz engineer could have allowed the attackers to access and steal the OCI storage volumes of any user without their permission. 

During an Oracle cloud infrastructure examination in June, Wiz engineers disclosed a cloud isolation security flaw in Oracle Cloud Infrastructure. They found that connecting a disk to a VM in another account can be done without any permissions, which immediately made them realize it could become a path for cyberattacks for threat actors. 

Elad Gabay, the security researcher at Wiz made a public statement regarding the vulnerability on September 20. He mentioned the possible severe outcomes of the exploitation of the vulnerability saying this could have led to “severe sensitive data leakage” for all OCI customers and could even be exploited to gain code execution remotely. 

To exploit this vulnerability, attackers need unique identifiers and the oracle cloud infrastructure's environment ID (OCID) of the victim, which can be obtained either through searching on the web or through low-privileged user permission to get the volume OCID from the victim's environment. 

The vulnerability 'AttachMe' is a critical cloud isolation vulnerability, which affects a specific cloud service. The vulnerability affects user data/files by allowing malicious actors to execute severe threats including removing sensitive data from your volume, searching for cleartext secrets to move toward the victim's environment, and making the volume difficult to access, in addition to partitioning the disk that contains the operating system folder. 

The guidelines of OCI state that volumes are a “virtual disk” that allows enough space for computer instances. They are available in the two following varieties in OCI: 

1. Block volume: it is detachable storage, allowing you to expand the storage capacity if needed. 

2. Boot volume: it is a detachable boot volume device containing the image used to boot a system such as operating systems, and supporting systems. 

As soon as Oracle's partner and customer Wiz announced the vulnerability, Oracle took immediate measures to patch the vulnerability while thanking wiz for disclosing the security flaw and helping them in resolving it in the last update advisory of receiving the patch for the vulnerability.
Read more »
Subscribe to: Comments (Atom)