Urgent Action Required: Oracle E-Business Suite Customers Targeted by Attackers

Administrators managing Oracle's E-Business Suite (EBS) are being urged to implement security measures in response to ongoing cyberattacks. Reports indicate that attackers are sending extortion emails to various EBS customers, prompting immediate action.

Oracle has officially acknowledged these attacks, which appear to involve unauthorized access to server systems where sensitive data is being copied. Following this, the attackers threaten to publicly disclose this information unless a ransom is paid. Specific details regarding the scale of these attacks and the methods employed by the attackers remain unclear, but Oracle has recommended that customers reach out to their support teams for further assistance.

The cybercriminals are likely exploiting a critical vulnerability disclosed in July 2025. Although Oracle has patched nine security vulnerabilities in EBS, three of these (CVE-2025-30745, CVE-2025-30746, CVE-2025-50107) can be exploited remotely without the need for authentication, posing significant risks to system integrity.

As of October 6, 2025, Oracle issued an emergency patch for a newly identified vulnerability, CVE-2025-61882, which allows remote code execution without authentication and has a severity rating of CVSS 9.8. This particular vulnerability affects versions 12.2.3 to 12.2.14 of Oracle EBS, and it is critical for users of these versions to apply the update promptly, as exploit codes have reportedly begun circulating in underground forums. Initial reports suggest that this zero-day vulnerability has been known to attackers since at least June, and organizations using affected versions should assume they may have already been compromised.

In light of these events, it is crucial for administrators to conduct thorough checks for signs of unauthorized access after applying security patches. While the absence of an extortion message may seem reassuring, it does not necessarily indicate that a system is secure; the Clop ransomware group, for instance, is known to methodically target its victims over extended periods.

During the Critical Patch Update in July, Oracle released a comprehensive set of 309 security patches, emphasizing the importance for EBS administrators to ensure that their systems are current with the latest updates. Oracle typically releases security updates on a quarterly basis, but emergency patches may be issued as necessary.