Oracle
Company Details
Linkedin ID:
oracle
Website:
Employees number:
197,447
Number of followers:
11,005,980
NAICS:
5415
Industry Type:
Homepage:
oracle.com
IP Addresses:
0
Company ID:
ORA_2147210
Scan Status:
In-progress
Oracle Company CyberSecurity Posture
oracle.com
We’re a cloud technology company that provides organizations around the world with computing infrastructure and software to help them innovate, unlock efficiencies and become more effective. We also created the world’s first – and only – autonomous database to help organize and secure our customers’ data. Oracle Cloud Infrastructure offers higher performance, security, and cost savings. It is designed so businesses can move workloads easily from on-premises systems to the cloud, and between cloud and on-premises and other clouds. Oracle Cloud applications provide business leaders with modern applications that help them innovate, attain sustainable growth, and become more resilient. The work we do is not only transforming the world of business--it's helping defend governments, and advance scientific and medical research. From nonprofits to companies of all sizes, millions of people use our tools to streamline supply chains, make HR more human, quickly pivot to a new financial plan, and connect data and people around the world. At work, we embrace diversity, encourage personal and professional growth, and celebrate a global team of passionate people developing innovative technologies that help people and companies tackle real-world problems head-on. If you’d like to join us, please visit our Careers page: https://www.oracle.com/corporate/careers/ For investor news, SEC filings, and financial information about Oracle (NYSE:ORCL), please visit https://investor.oracle.com/home/. Follow us on X: x.com/oracle Like our page on Facebook: facebook.com/Oracle/ Follow us on Instagram: instagram.com/oracle/
Oracle A.I CyberSecurity Scoring
Oracle Risk Score (AI oriented)Between 0 and 549
Oracle
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Oracle Global Score (TPRM)XXXX
Oracle
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Oracle Company CyberSecurity News & History
Past Incidents
23
Attack Types
4
SalesforceOracle: Critical Oracle WebLogic Server Proxy Vulnerability Lets Attackers Compromise the Server
Vulnerability
Rankiteo Explanation
Attack threatening the organization's existence
Description: Oracle Discloses Critical Proxy Vulnerability in Fusion Middleware (CVE-2026-21962) Oracle has revealed a severe security flaw (CVE-2026-21962) in its Fusion Middleware suite, specifically affecting the Oracle HTTP Server and WebLogic Server Proxy Plug-in. The vulnerability, rated CVSS 10.0, enables unauthenticated remote attackers to exploit systems without user interaction, posing a major risk to enterprise environments. The flaw lies in how the WebLogic Server Proxy Plug-ins for Apache HTTP Server and Microsoft IIS process incoming requests. Due to its location in the proxy layer, attackers can bypass security controls entirely, gaining unauthorized access to sensitive data and the ability to create, delete, or modify system data. The vulnerability’s "Scope Change" (S:C) metric indicates that successful exploitation could extend beyond the plug-in, potentially compromising backend WebLogic Server environments. Affected Versions: - Oracle HTTP Server / Proxy Plug-in: 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 - WebLogic Server Proxy Plug-in for IIS: 12.2.1.4.0 Oracle has released patches in its Critical Patch Update (CPU), with temporary mitigation recommending restricted network access to affected HTTP ports if immediate patching is not possible. The flaw’s low attack complexity and high impact make it a priority for organizations using these components.
Oracle Corporation: University of Phoenix Data Breach Lawsuit Investigation
Vulnerability
Rankiteo Explanation
Attack without any consequences
Description: University of Phoenix Hit by Massive Data Breach Affecting Millions In November 2025, the University of Phoenix disclosed a significant data breach impacting over 3.4 million current and former students and staff. The breach, attributed to the CL0P ransomware group, exploited a vulnerability in the university’s Oracle E-Business Suite software between August 13 and August 22, 2025, leading to the exfiltration of sensitive personal data. Exposed information included names, dates of birth, Social Security numbers, and financial details such as bank account and routing numbers. The university reported the incident to the California and Maine Attorney Generals’ offices on December 21, 2025, and began notifying affected individuals the following day. Among those impacted were 9,131 Maine residents. The breach has prompted legal action, with Shamis & Gentile P.A., a class-action law firm specializing in data breach cases, investigating potential compensation for victims. The university has offered free IDX identity theft protection services to those affected. The University of Phoenix, a private for-profit institution based in Phoenix, Arizona, serves working adults through online degree programs in fields like business, healthcare, and information systems. The incident underscores the growing threat of ransomware attacks targeting educational institutions.
Princeton University, Oracle Corporation and Phoenix Education Partners: University of Phoenix data breach impacts nearly 3.5 million individuals
Cyber Attack
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Clop Ransomware Gang Steals Data of 3.5 Million from University of Phoenix The Clop ransomware gang has stolen the personal and financial data of nearly 3.5 million individuals including current and former students, staff, and suppliers after breaching the University of Phoenix (UoPX) network in August 2025. The attack was part of a broader extortion campaign exploiting a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), a financial application used by the university. UoPX, a private for-profit institution based in Phoenix, Arizona, detected the breach on November 21 after Clop listed the university on its data leak site. The stolen data includes names, contact details, dates of birth, Social Security numbers, and bank account information. In early December, the university publicly disclosed the incident and filed an 8-K report with the U.S. Securities and Exchange Commission (SEC). On Monday, UoPX confirmed in notification letters filed with Maine’s Attorney General that 3,489,274 individuals were affected. The university is offering free identity protection services, including credit monitoring, dark web surveillance, and a $1 million fraud reimbursement policy. While UoPX has not officially attributed the attack, the tactics align with Clop’s recent campaign targeting Oracle EBS vulnerabilities. Other U.S. universities, including Harvard and the University of Pennsylvania, have also reported similar breaches linked to the same exploit. Clop has a history of high-profile data theft operations, previously targeting GoAnywhere MFT, Accellion FTA, MOVEit Transfer, Cleo, and Gladinet CentreStack. The U.S. Department of State has offered a $10 million reward for information connecting the gang’s activities to a foreign government. In a separate wave of attacks since late October, multiple universities including Harvard, Princeton, and the University of Pennsylvania have also fallen victim to voice phishing (vishing) attacks, compromising systems tied to development and alumni activities.
Oracle and Parexel: Parexel Data Breach Investigation
Vulnerability
Rankiteo Explanation
Attack without any consequences
Description: Parexel Reports Data Breach Impacting Sensitive Employee Information Parexel, a global clinical research organization, disclosed a data breach affecting sensitive personal information stored in its Oracle OCI E-Business Suite (Oracle EBS) environment. On October 4, 2025, the company detected suspicious activity within the system, prompting an investigation. The breach, confirmed through forensic analysis, revealed that an unauthorized third party accessed employee-related data. Exposed information may include names, Social Security numbers, dates of birth, financial account numbers, payment card details (excluding CVVs), and national ID numbers, though the exact data varies by individual. On December 17, 2025, Parexel began notifying affected individuals via mail, detailing the compromised information and offering 24 months of complimentary credit monitoring services. The breach notice was filed with the Attorney General of Massachusetts, where impacted residents were among the first to be informed. The full scope of affected individuals and additional details remain under review.
Oracle Hospitality
Cyber Attack
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: A large-scale phishing campaign targeted Oracle Hospitality through malicious search engine advertisements (malvertising), impersonating its services to deceive users. Victims were redirected to typosquatted domains mimicking legitimate login pages, harvesting credentials, email addresses, phone numbers, and passwords. The attackers bypassed multi-factor authentication (MFA) by capturing real-time one-time passwords (OTP) via SMS or email codes, gaining unauthorized access to cloud-based property management systems.The breach exposed sensitive guest data, including personal information and payment details, stored in these platforms. Technical analysis revealed Russian-speaking threat actors behind the operation, using sophisticated beaconing techniques to track victims’ geolocation, session duration, and engagement. The campaign posed significant risks to Oracle Hospitality’s operational integrity, customer trust, and financial security, with potential downstream impacts on booking systems and guest privacy.Security researchers highlighted the need for phishing-resistant authentication (e.g., passkeys, FIDO2 WebAuthn) and adaptive risk assessments to mitigate future threats. The incident underscores the growing sophistication of industry-specific cyberattacks targeting hospitality providers.
Oracle
Ransomware
Rankiteo Explanation
Attack threatening the organization's existence
Description: The Clop ransomware gang exploited a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), specifically within the BI Publisher Integration component, to conduct data theft attacks since at least August 2025. The flaw allowed unauthenticated remote code execution (RCE) via a single HTTP request, enabling attackers to steal sensitive corporate documents from unpatched systems. Oracle patched the vulnerability in early October 2025, but not before Clop launched an extortion campaign, emailing executives at multiple victim organizations to demand ransoms in exchange for not leaking the stolen data.The attack leveraged a vulnerability chain exposed by leaked proof-of-concept (PoC) exploits from the Scattered Lapsus$ Hunters group, increasing the risk of further exploitation by other threat actors. Clop’s campaign mirrors past high-profile breaches, including MOVEit Transfer (2,770+ organizations affected), Accellion FTA, and GoAnywhere MFT, reinforcing its reputation for large-scale data theft via zero-days. Oracle urged immediate patching, warning that internet-exposed EBS applications remain prime targets. The U.S. State Department has even offered a $10 million reward for intelligence linking Clop to foreign state sponsorship, underscoring the attack’s severity.
Oracle
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: The Clop ransomware gang exploited a zero-day vulnerability in Oracle’s E-Business Suite, a critical enterprise software used for managing customer data, HR files, and corporate operations. The attack, active since at least July 10, allowed hackers to steal significant amounts of sensitive data, including personal information of corporate executives and employees, as well as customer data from affected organizations. Oracle initially claimed the vulnerabilities were patched, but later confirmed the zero-day flaw enabled remote exploitation without authentication, meaning attackers could breach systems without credentials.Google’s security researchers revealed that dozens of organizations were compromised, with the Clop gang using the stolen data for extortion campaigns. The group has a history of mass-hacking via unpatched vulnerabilities in file transfer tools (e.g., MOVEit, GoAnywhere), amplifying risks of large-scale data leaks. Oracle’s delayed acknowledgment and the ongoing exploitation of the flaw suggest prolonged exposure, increasing potential damage to financial records, executive identities, and corporate intellectual property.
Oracle
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Oracle issued an emergency security update to patch a critical information disclosure vulnerability (CVE-2025-61884, CVSS 7.5) in its E-Business Suite (EBS) Runtime UI component (versions 12.2.3–12.2.14). The flaw allows unauthenticated remote attackers to exploit it over a network without credentials, granting access to sensitive corporate resources, including financial, employee, or customer data. The vulnerability was part of a broader extortion campaign linked to the Cl0p ransomware group (FIN11), which exploited a separate zero-day (CVE-2025-61882, CVSS 9.8) to steal data and send extortion emails to executives. While Oracle did not confirm active exploitation of CVE-2025-61884, the urgent patch suggests high risk. Attackers leveraged hacked email accounts and default password resets to gain credentials, potentially exposing confidential business data, intellectual property, or operational secrets. The incident highlights risks of supply-chain attacks and data breaches in enterprise software, with possible financial fraud, reputational damage, or regulatory penalties if exploited.
Oracle
Ransomware
Rankiteo Explanation
Attack threatening the organization's existence
Description: Oracle released an emergency patch for CVE-2025-61882 (CVSS 9.8), a critical zero-day vulnerability in its E-Business Suite, actively exploited by the Cl0p ransomware group and potentially the Scattered LAPSUS$ Hunters. The flaw allows unauthenticated remote attackers to execute arbitrary code via HTTP, compromising the Oracle Concurrent Processing component. Cl0p leveraged this in a high-volume phishing campaign, stealing large volumes of sensitive data from multiple victims in August 2025. Indicators of compromise (IoCs) include malicious IP addresses (e.g., 200.107.207[.]26, 185.181.60[.]11), reverse shell payloads, and exploit scripts (e.g., *oracle_ebs_nday_exploit_poc_...*). Mandiant warned of mass exploitation, urging organizations to investigate potential breaches even after patching, as attackers may have already exfiltrated data. The incident highlights the risk of supply-chain attacks via unpatched enterprise software, with Cl0p’s campaign targeting financial, HR, and operational data potentially disrupting business continuity and exposing customers/employees to fraud or regulatory penalties.
Oracle
Breach
Rankiteo Explanation
Attack that could injure or kill people
Description: Oracle faced two data security incidents with reported poor incident communication. An attacker allegedly accessed login servers and legacy Cerner data, leading to customers' personal information being at risk. Missteps in Oracle's response include outright denial, potentially misleading statements, and accusations of deleting evidence online, compounding the damage to their reputation.
Oracle Health
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Oracle Health, the healthcare subsidiary of Oracle Corporation, experienced a data breach involving legacy Cerner data migration servers. This incident, which Oracle has communicated to its customers through private letters, is reported to have potentially exposed sensitive customer data. The breach is a consequence of Oracle's acquisition of Cerner Corp, a notable electronic health records business, as Oracle aimed to transition the healthcare software to cloud infrastructure. The significance of the data involved and the potential ramifications of such breaches in the healthcare sector underline the serious nature of this cybersecurity event.
Oracle
Breach
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Oracle recently faced allegations of a data breach, with a threat actor claiming to have stolen 6 million records from Oracle Cloud's SSO login servers. Oracle has denied any breach, stating there was no compromise of their cloud services and customers' data remained secure. The threat actor, rose87168, attempted to sell the data and claimed the information includes SSO passwords, Java Keystore files, key files, and JPS keys from Oracle Cloud servers. Despite encrypted and hashed passwords requiring decryption or cracking, the impact of such a breach if proven accurate could potentially be significant, undermining trust in Oracle's cloud security and potentially impacting customers whose data was compromised.
Oracle Health
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: A breach at Oracle Health has resulted in the theft of patient data from legacy servers impacting multiple US healthcare organizations and hospitals. Unauthorized access by a threat actor after January 22, 2025, led to the exfiltration of Electronic Health Records (EHR) data with potential violations of HIPAA laws. There is uncertainty whether ransomware was involved, but Oracle Health's response has been criticized for lack of transparency and failure to provide proper guidance and documentation, leaving hospitals to navigate the aftermath themselves.
Co-operative Group, Ingram Micro, Salesforce, Jaguar Land Rover, Oracle, Synnovis and DaVita: Top 10 Ransomware Attacks Over The Past Year
Ransomware
Rankiteo Explanation
Attack threatening the organization's existence
Description: Ransomware in 2025: A Systemic Threat Disrupting Global Supply Chains and Critical Services In 2025, ransomware evolved from isolated IT disruptions into a systemic risk, threatening national supply chains, essential services, and entire industries. Cybersecurity Ventures projects the global cost of ransomware will surge to $275 billion annually by 2031, driven by downtime, data loss, recovery efforts, and lost productivity not just ransom payments. A recent SOCRadar analysis highlighted the top 10 ransomware attacks of 2025, each exposing vulnerabilities across sectors: 1. Salesforce Ecosystem – A SaaS supply chain blind spot exploited for widespread disruption. 2. Oracle E-Business Suite – A zero-day attack leveraging supply chain extortion. 3. Jaguar Land Rover – Britain’s costliest cyberattack, crippling automotive operations. 4. Ingram Micro – A ransomware strike paralyzing global IT distribution. 5. Co-operative Group – A sustained siege on the UK retail sector. 6. PowerSchool – Large-scale extortion targeting the education sector. 7. Synnovis – Healthcare disruption with confirmed patient harm. 8. DaVita – Ransomware striking critical healthcare infrastructure. 9. Asahi Group – Manufacturing halts exposing IT-OT convergence risks. 10. Collins Aerospace – Ransomware grounding European airports. Key patterns emerged across these incidents: - Initial access frequently relied on stolen credentials or social engineering rather than sophisticated exploits. - Supply chain vulnerabilities amplified impact, turning single breaches into cascading failures. - Data theft and operational paralysis often outweighed encryption as the primary damage driver. - Delayed consequences such as regulatory penalties or confirmed human harm surfaced months after the attacks. The incidents underscore ransomware’s growing role as a strategic threat, with far-reaching consequences beyond financial losses.
Oracle
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Oracle has patched a critical zero-day vulnerability (CVE-2025-61882) in its E-Business Suite, actively exploited by the Clop hacking group to steal personal information of corporate executives and extort victims. The flaw allows remote exploitation without credentials, enabling mass data theft from thousands of organizations using the suite for customer data and employee HR files. Initially, Oracle downplayed the threat, linking extortion emails to older patched vulnerabilities from July. However, the newly discovered zero-day confirms ongoing exploitation since at least August 2024, with Clop demanding ransom to prevent leaking stolen data. Google’s Mandiant reported widespread attacks, though not all victims have been contacted yet. The breach poses severe risks to executive privacy, corporate reputation, and operational security, with potential cascading effects on Oracle’s enterprise clients globally.
Oracle (E-Business Suite customers)
Ransomware
Rankiteo Explanation
Attack threatening the organization's existence
Description: A new extortion campaign targeted executives across multiple companies using Oracle E-Business Suite, with threat actors (potentially the Clop ransomware gang/FIN11) sending emails claiming theft of sensitive data. The campaign, active since at least September 29, 2025, leveraged hundreds of compromised email accounts, some linked to prior FIN11 activity. While the emails included contact details tied to Clop’s data leak site, Mandiant and Google Cloud have not yet confirmed actual data theft. The attack exploits potential vulnerabilities in Oracle’s platform, though no zero-day confirmation exists. Organizations were urged to investigate unusual access in their Oracle environments. Clop, known for ransomware deployment and data extortion, has historically exploited file transfer flaws (e.g., Cleo zero-days in 2024) to steal corporate data. The U.S. State Department offers a $10M reward for ties between Clop and foreign governments. The incident remains under investigation, with risks including financial extortion, reputational damage, and potential data leaks if claims are substantiated.
Oracle
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Hackers linked to the Russian ransomware gang Clop (FIN11) are exploiting vulnerabilities in Oracle E-Business Suite, a critical enterprise platform managing finance, HR, and supply chain data. The threat actors claim to have stolen sensitive corporate information and are conducting a high-volume extortion campaign, targeting executives across multiple organizations via compromised email accounts. While the exact scope of the breach remains unconfirmed, the group has historically leveraged stolen data for ransom demands rather than system disruption. Oracle previously disclosed a January 2024 incident where hackers accessed legacy systems and stole client credentials, raising concerns about credential reuse and exposure. The current campaign, launched on September 29, 2024, mirrors Clop’s past tactics such as the MOVEit attacks which impacted 2,773 organizations and exposed 96 million records. The group has demanded ransoms under the threat of leaking stolen data, using email addresses tied to Clop’s official leak site. Mandiant and Google Threat Intelligence Group (GTIG) are investigating but have not yet verified the full extent of the breach or the legitimacy of the stolen data claims.
Oracle Corporation
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: The Clop ransomware gang (Graceful Spider) breached Oracle Corporation by exploiting a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), an unauthenticated remote code execution (RCE) flaw with a CVSS score of 9.8. The attack bypassed authentication via the SyncServlet endpoint and injected malicious XSLT templates through RF.jsp, granting full control over enterprise systems. Oracle’s internal data and customer information were exposed, with Clop listing the company on its dark web leak site under a 'PAGE CREATED' status. The breach aligns with Clop’s broader campaign targeting high-profile victims (e.g., Mazda, Humana, Washington Post) via extortion emails threatening public data leaks unless ransoms are paid. The attack leveraged reused infrastructure from prior exploits (e.g., 2023 MOVEit vulnerability), with 96 distinct IPs tied to Russian-linked service providers. The incident underscores the severe risk posed by unpatched EBS instances, which manage critical functions like procurement, logistics, and financial records globally.
Oracle Cloud
Breach
Rankiteo Explanation
Attack threatening the organization’s existence
Description: The cyberattack on Oracle Cloud orchestrated by 'rose87168' led to the theft of 6 million records potentially affecting over 140,000 tenants. Exfiltrated data includes sensitive JKS files, encrypted SSO passwords, key files, and JPS keys. This information is now sold on dark web forums. The breach, exploiting CVE-2021-35587, poses risks of unauthorized access and corporate espionage given the type of data stolen. Oracle's compromised subdomain and vulnerable software version highlight security gaps and raise concerns of lateral movement within the cloud environment.
Oracle Corporation
Breach
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Oracle Corporation endured a data breach affecting its Gen 1 servers, with no complete PII exposure but involving 6 million data records including usernames, email addresses, and hashed passwords. Sensitive credentials related to SSO and LDAP were also compromised. The breach, attributed to the threat actor 'rose87168' via a 2020 Java exploit, resulted in the theft of JKS files and Enterprise Manager JPS keys from legacy systems approximately 16 months old. Oracle has informed clients and taken steps to bolster Gen 1 server security while maintaining that its Gen 2 servers and primary Oracle Cloud infrastructure remain secure.
Oracle Corporation
Ransomware
Rankiteo Explanation
Attack threatening the organization's existence
Description: The Clop ransomware gang (Graceful Spider) exploited a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), an enterprise resource planning system used for order management, procurement, and logistics. The unauthenticated remote code execution (RCE) flaw allowed attackers to bypass authentication via the OA_HTML/SyncServlet endpoint and inject malicious XSLT templates through OA_HTML/RF.jsp, granting full control over sensitive ERP data. Oracle was listed on Clop’s dark web leak site, suggesting internal corporate data potentially financial and employee records was compromised. The attack leveraged reused infrastructure from prior campaigns (e.g., 2023 MOVEit exploits), with extortion emails sent to victims demanding ransom to prevent data leaks. Over 1,025 victims and $500M+ in extorted funds since 2019 highlight Clop’s persistence. The breach poses severe risks to Oracle’s supply chain integrity, operational continuity, and reputation, with potential cascading effects on clients like Mazda, Humana, and the Washington Post, also listed as victims.
Oracle
Breach
Rankiteo Explanation
Attack threatening the organization's existence
Description: A Russian cybercrime group breached 100 computer systems belonging to Oracle's retail division and MICROS point-of-sale credit card payment systems. It did not expose corporate networks and other cloud and service offerings that were not affected by the breach. Oracle urged Micros customers to change their passwords and any passwords used by Micros representatives to access their on-premise systems.
Oracle Corporation
Breach
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: On July 10, 2013, Fidelity Investments experienced a data breach reported by the California Office of the Attorney General on July 31, 2013. An unauthorized individual gained access to a report containing sensitive personal information of Oracle Corporation employees, including names and Social Security numbers. The breach exposed confidential employee data, though the exact number of affected individuals remains undisclosed. The incident highlights a significant security lapse, as the compromised data could facilitate identity theft, financial fraud, or targeted phishing attacks against the affected employees. While the breach did not directly impact Fidelity’s customers, the exposure of third-party (Oracle) employee records underscores vulnerabilities in data handling and access controls. The breach’s discovery and reporting delay (21 days) may have further exacerbated risks, as affected individuals were left uninformed during this period. Such breaches erode trust in financial institutions’ ability to safeguard sensitive information, potentially leading to reputational damage and regulatory scrutiny. The nature of the stolen data Social Security numbers makes it particularly high-risk, as this information is immutable and highly valuable to cybercriminals for long-term exploitation.
Oracle Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Oracle
Incidents vs IT Services and IT Consulting Industry Average (This Year)
Oracle has 55.95% fewer incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Oracle has 28.57% fewer incidents than the average of all companies with at least one recorded incident.
Incident Types Oracle vs IT Services and IT Consulting Industry Avg (This Year)
Oracle reported 1 incidents this year: 0 cyber attacks, 0 ransomware, 1 vulnerabilities, 0 data breaches, compared to industry peers with at least 1 incident.
Incident History — Oracle (X = Date, Y = Severity)
Oracle cyber incidents detection timeline including parent company and subsidiaries
Oracle Company Subsidiaries
We’re a cloud technology company that provides organizations around the world with computing infrastructure and software to help them innovate, unlock efficiencies and become more effective. We also created the world’s first – and only – autonomous database to help organize and secure our customers’ data. Oracle Cloud Infrastructure offers higher performance, security, and cost savings. It is designed so businesses can move workloads easily from on-premises systems to the cloud, and between cloud and on-premises and other clouds. Oracle Cloud applications provide business leaders with modern applications that help them innovate, attain sustainable growth, and become more resilient. The work we do is not only transforming the world of business--it's helping defend governments, and advance scientific and medical research. From nonprofits to companies of all sizes, millions of people use our tools to streamline supply chains, make HR more human, quickly pivot to a new financial plan, and connect data and people around the world. At work, we embrace diversity, encourage personal and professional growth, and celebrate a global team of passionate people developing innovative technologies that help people and companies tackle real-world problems head-on. If you’d like to join us, please visit our Careers page: https://www.oracle.com/corporate/careers/ For investor news, SEC filings, and financial information about Oracle (NYSE:ORCL), please visit https://investor.oracle.com/home/. Follow us on X: x.com/oracle Like our page on Facebook: facebook.com/Oracle/ Follow us on Instagram: instagram.com/oracle/
Loading...
Oracle Similar Companies
CGI
Insights you can act on. Founded in 1976, CGI is among the largest IT and business consulting services firms in the world. We are insights-driven and outcomes-focused to help accelerate returns on your investments. Across hundreds of locations worldwide, we provide comprehensive, scalable and susta
Samsung SDS
Samsung SDS provides cloud computing and digital logistics services. We build an optimized cloud environment with Samsung Cloud Platform specialized for businesses, provide all-in-one management service based on 38 years of expertise in each industry, and boost work efficiency and customer service w
IGT Solutions
IGT Solutions is a next-gen customer experience (CX) company, defining and delivering AI-led transformative experiences for the global and most innovative brands using digital technologies. With the combination of Digital and Human Intelligence, IGT becomes the preferred partner for managing end-to-
Minsait
We are one of the world's leading consultancies in technological services for companies and the public sector. With headquarters in Spain and presence in more than 100 countries, we combine experience in AI, data, cloud and cybersecurity to help companies and organizations generate a positive impact
Wipro
Wipro Limited (NYSE: WIT, BSE: 507685, NSE: WIPRO) is a leading AI-powered technology services and consulting company focused on building innovative solutions that address clients’ most complex digital transformation needs. Leveraging our consulting-led approach and the Wipro Intelligence™ unified s
T-Systems International
Your digitalization partner with industry expertise With locations in more than 26 countries and over 26,000 employees (2024), T-Systems is one of the leading providers of digital services in Europe. The Deutsche Telekom subsidiary is headquartered in Germany and has a presence in Europe as well as
ASGN Incorporated
ASGN Incorporated (NYSE: ASGN) is a leading provider of IT services and solutions across the commercial and government sectors. ASGN helps corporate enterprises and government organizations develop, implement and operate critical IT and business solutions through its integrated offerings. For more i
As the world’s leading tech care company, Asurion eliminates the fears and frustrations associated with technology, to ensure our 300 million customers get the most out of their devices, appliances and connections. We provide insurance, repair, replacement, installation and 24/7 support for everythi
eClerx
eClerx is a productized services company, bringing together people, technology and domain expertise to amplify business results. Our mission is to set the benchmark for client service and success in our industry. Our vision is to be the innovation partner of choice for technology, data analytics and
.png)
Oracle CyberSecurity News
January 21, 2026 08:03 PM
Oracle releases 337 security patches, including fix for critical Apache Tika flaw
Oracle has handed security teams their first big patching workload of the year, with its latest quarterly update containing a hefty 337...
January 21, 2026 12:48 PM
Oracle Critical Security Patch - 337 Vulnerabilities Patched Across Product Families
Oracle's January 2026 Critical Patch Update fixes 337 security vulnerabilities across multiple products to reduce enterprise risk.
January 21, 2026 08:08 AM
Oracle Releases Critical Security Patch Addressing 337 Vulnerabilities Across Product Lines
Oracle has issued its January 2026 Critical Patch Update (CPU), releasing security patches for 337 vulnerabilities spanning multiple product...
January 21, 2026 06:39 AM
Critical Oracle WebLogic Server Proxy Vulnerability Lets Attackers Compromise the Server
Oracle has disclosed a severe security vulnerability affecting its Fusion Middleware suite, specifically targeting the Oracle HTTP Server...
January 15, 2026 07:47 AM
Is Oracle facing headwinds? After layoffs, its 4-decade veteran Chief Security Officer Mary Ann Davidson departs
Oracle Chief Security Officer Mary Ann Davidson steps down: Oracle Corp. witnesses the departure of its long-standing Chief Security Officer,...
January 13, 2026 08:00 AM
Oracle Hack Still Generating Ransom Demands
More users of Oracle's E-Business Suite software are being extorted for millions of dollars following a hack that may have begun last July.
December 30, 2025 08:00 AM
80 Hospitals May Have Been Affected by the Oracle Health Data Breach
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a security alert about the recently confirmed Oracle data breach.
December 15, 2025 08:00 AM
Google Threat Research Uncovers Data Breach in NHS Linked to Oracle Vulnerability
In a concerning revelation, Google Threat Research has uncovered a significant cybersecurity breach linked to a vulnerability in Oracle...
December 12, 2025 08:00 AM
Envoy Air Hit With Class Suit Over Oracle ‘Hub and Spoke’ Breach
A former Envoy Air Inc. employee sued the airline and Oracle Corp. for allegedly failing to protect personal information exposed in a July...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Oracle CyberSecurity History Information
Official Website of Oracle
The official website of Oracle is http://www.oracle.com.
Oracle’s AI-Generated Cybersecurity Score
According to Rankiteo, Oracle’s AI-generated cybersecurity score is 479, reflecting their Critical security posture.
How many security badges does Oracle’ have ?
According to Rankiteo, Oracle currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Has Oracle been affected by any supply chain cyber incidents ?
According to Rankiteo, Oracle has been affected by multiple supply chain cyber incidents. The affected supply chain sources and their corresponding incident IDs are:
- Oracle (Incident ID: PRIORAUNI1766419165)
- Oracle (Incident ID: ORAPAR1766015901)
- Salesforce (Incident ID: THEINGSALJAGORASYNDAV1769095448)
Does Oracle have SOC 2 Type 1 certification ?
According to Rankiteo, Oracle is not certified under SOC 2 Type 1.
Does Oracle have SOC 2 Type 2 certification ?
According to Rankiteo, Oracle does not hold a SOC 2 Type 2 certification.
Does Oracle comply with GDPR ?
According to Rankiteo, Oracle is not listed as GDPR compliant.
Does Oracle have PCI DSS certification ?
According to Rankiteo, Oracle does not currently maintain PCI DSS compliance.
Does Oracle comply with HIPAA ?
According to Rankiteo, Oracle is not compliant with HIPAA regulations.
Does Oracle have ISO 27001 certification ?
According to Rankiteo,Oracle is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Oracle
Oracle operates primarily in the IT Services and IT Consulting industry.
Number of Employees at Oracle
Oracle employs approximately 197,447 people worldwide.
Subsidiaries Owned by Oracle
Oracle presently has no subsidiaries across any sectors.
Oracle’s LinkedIn Followers
Oracle’s official LinkedIn profile has approximately 11,005,980 followers.
NAICS Classification of Oracle
Oracle is classified under the NAICS code 5415, which corresponds to Computer Systems Design and Related Services.
Oracle’s Presence on Crunchbase
No, Oracle does not have a profile on Crunchbase.
Oracle’s Presence on LinkedIn
Yes, Oracle maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/oracle.
Cybersecurity Incidents Involving Oracle
As of January 24, 2026, Rankiteo reports that Oracle has experienced 23 cybersecurity incidents.
Number of Peer and Competitor Companies
Oracle has an estimated 38,514 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Oracle ?
Incident Types: The types of cybersecurity incidents that have occurred include Ransomware, Breach, Cyber Attack and Vulnerability.
What was the total financial impact of these incidents on Oracle ?
Total Financial Loss: The total financial loss from these incidents is estimated to be $275 billion.
How does Oracle detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with password change recommendation, and communication strategy with customer advisory, and communication strategy with criticized for lack of transparency, and communication strategy with private letters to customers, and communication strategy with outright denial, communication strategy with potentially misleading statements, communication strategy with accusations of deleting evidence online, and remediation measures with informed clients, remediation measures with bolstered gen 1 server security, and law enforcement notified with yes (california office of the attorney general), and third party assistance with okta threat intelligence (analysis by moussa diallo), and containment measures with monitoring for suspicious domain registrations, containment measures with blocking known malicious domains, and remediation measures with implementation of phishing-resistant authentication (e.g., passkeys, fido2 webauthn), remediation measures with adaptive risk assessments for unusual access patterns, and communication strategy with customer advisories about impersonation attempts, communication strategy with industry-wide alerts, and enhanced monitoring with real-time tracking of typosquatted domains, enhanced monitoring with beaconing detection, and incident response plan activated with recommended (investigate oracle e-business suite environments), and third party assistance with mandiant (google cloud), third party assistance with gtig, and enhanced monitoring with recommended (for unusual access), and and third party assistance with mandiant (google cloud), third party assistance with google threat intelligence group (gtig), and communication strategy with public warning via cybersecurity firms (mandiant, gtig), communication strategy with media outreach (recorded future news), and and third party assistance with mandiant (google cloud), and containment measures with emergency patch release (cve-2025-61882), containment measures with advisory for customer mitigation, and remediation measures with patch application, remediation measures with investigation into potential prior compromise, and communication strategy with public advisory, communication strategy with linkedin post by oracle cso, communication strategy with mandiant technical alert, and enhanced monitoring with recommended for customers to detect prior compromise, and incident response plan activated with yes (oracle released patch and urged immediate installation), and third party assistance with google mandiant (investigation and advisory), and containment measures with patch release (cve-2025-61882), containment measures with indicators of compromise (iocs) shared with customers, and remediation measures with urgent patch installation recommended for all customers, and communication strategy with public security advisory by oracle cso rob duhart, communication strategy with linkedin post by google mandiant cto charles carmakal, and incident response plan activated with oracle security alert (urgent patching advisory), and third party assistance with crowdstrike (detection and analysis), third party assistance with mandiant (investigation), third party assistance with google threat intelligence group (gtig), and containment measures with patching cve-2025-61882, containment measures with disabling exposed ebs components, and communication strategy with oracle customer advisory, communication strategy with public disclosure of poc risks, and enhanced monitoring with recommended for oracle ebs environments, and incident response plan activated with yes (google and oracle), and third party assistance with google security researchers, and remediation measures with oracle security advisory issued, remediation measures with technical indicators shared by google for detection, and communication strategy with public advisory by oracle, communication strategy with blog post by google, communication strategy with media statements, and enhanced monitoring with recommended (google provided indicators for detection), and incident response plan activated with yes (oracle released emergency security alerts and patches), and third party assistance with google threat intelligence, third party assistance with mandiant, third party assistance with crowdstrike, and containment measures with emergency patching (cve-2025-61884 & cve-2025-61882), containment measures with urgent advisory for customers to apply updates, and remediation measures with patch deployment, remediation measures with mitigation guidance for unpatched systems, and communication strategy with public security advisories, communication strategy with direct customer notifications, and enhanced monitoring with recommended (oracle advised customers to monitor for exploitation attempts), and remediation measures with patch released in october 2025 security alert, and third party assistance with security researchers (the raven file), and remediation measures with oracle released patch in october 2025, and communication strategy with data breach notification letters mailed to impacted individuals, and communication strategy with public disclosure on official website, sec filing, notification letters to affected individuals, and communication strategy with written notice to affected individuals on dec. 22, 2025, and containment measures with restricted network access to affected http ports, and remediation measures with patches released in critical patch update (cpu)..
Incident Details
Can you provide details on each incident ?
Title: Oracle MICROS Point-of-Sale System Breach
Description: A Russian cybercrime group breached 100 computer systems belonging to Oracle's retail division and MICROS point-of-sale credit card payment systems. It did not expose corporate networks and other cloud and service offerings that were not affected by the breach. Oracle urged Micros customers to change their passwords and any passwords used by Micros representatives to access their on-premise systems.
Type: Data Breach
Attack Vector: Network Intrusion
Threat Actor: Russian Cybercrime Group
Title: Alleged Data Breach at Oracle Cloud
Description: Oracle recently faced allegations of a data breach, with a threat actor claiming to have stolen 6 million records from Oracle Cloud's SSO login servers. Oracle has denied any breach, stating there was no compromise of their cloud services and customers' data remained secure. The threat actor, rose87168, attempted to sell the data and claimed the information includes SSO passwords, Java Keystore files, key files, and JPS keys from Oracle Cloud servers. Despite encrypted and hashed passwords requiring decryption or cracking, the impact of such a breach—if proven accurate—could potentially be significant, undermining trust in Oracle's cloud security and potentially impacting customers whose data was compromised.
Type: Data Breach
Threat Actor: rose87168
Motivation: Financial Gain
Title: Cyberattack on Oracle Cloud by 'rose87168'
Description: The cyberattack on Oracle Cloud orchestrated by 'rose87168' led to the theft of 6 million records potentially affecting over 140,000 tenants. Exfiltrated data includes sensitive JKS files, encrypted SSO passwords, key files, and JPS keys. This information is now sold on dark web forums. The breach, exploiting CVE-2021-35587, poses risks of unauthorized access and corporate espionage given the type of data stolen. Oracle's compromised subdomain and vulnerable software version highlight security gaps and raise concerns of lateral movement within the cloud environment.
Type: Data Breach
Attack Vector: Exploitation of CVE-2021-35587
Vulnerability Exploited: CVE-2021-35587
Threat Actor: 'rose87168'
Motivation: Unauthorized accessCorporate espionage
Title: Data Breach at Oracle Health
Description: A breach at Oracle Health has resulted in the theft of patient data from legacy servers impacting multiple US healthcare organizations and hospitals. Unauthorized access by a threat actor after January 22, 2025, led to the exfiltration of Electronic Health Records (EHR) data with potential violations of HIPAA laws. There is uncertainty whether ransomware was involved, but Oracle Health's response has been criticized for lack of transparency and failure to provide proper guidance and documentation, leaving hospitals to navigate the aftermath themselves.
Type: Data Breach
Attack Vector: Unauthorized Access
Title: Oracle Health Data Breach
Description: Oracle Health, the healthcare subsidiary of Oracle Corporation, experienced a data breach involving legacy Cerner data migration servers. This incident, which Oracle has communicated to its customers through private letters, is reported to have potentially exposed sensitive customer data. The breach is a consequence of Oracle's acquisition of Cerner Corp, a notable electronic health records business, as Oracle aimed to transition the healthcare software to cloud infrastructure. The significance of the data involved and the potential ramifications of such breaches in the healthcare sector underline the serious nature of this cybersecurity event.
Type: Data Breach
Title: Oracle Data Security Incidents
Description: Oracle faced two data security incidents with reported poor incident communication. An attacker allegedly accessed login servers and legacy Cerner data, leading to customers' personal information being at risk. Missteps in Oracle's response include outright denial, potentially misleading statements, and accusations of deleting evidence online, compounding the damage to their reputation.
Type: Data Breach
Attack Vector: Login Server AccessLegacy Cerner Data Access
Title: Oracle Corporation Gen 1 Servers Data Breach
Description: Oracle Corporation endured a data breach affecting its Gen 1 servers, with no complete PII exposure but involving 6 million data records including usernames, email addresses, and hashed passwords. Sensitive credentials related to SSO and LDAP were also compromised. The breach, attributed to the threat actor 'rose87168' via a 2020 Java exploit, resulted in the theft of JKS files and Enterprise Manager JPS keys from legacy systems approximately 16 months old. Oracle has informed clients and taken steps to bolster Gen 1 server security while maintaining that its Gen 2 servers and primary Oracle Cloud infrastructure remain secure.
Type: Data Breach
Attack Vector: 2020 Java Exploit
Vulnerability Exploited: Java Vulnerability
Threat Actor: rose87168
Title: Fidelity Investments Data Breach (2013) Affecting Oracle Corporation Employees
Description: The California Office of the Attorney General reported a data breach involving Fidelity Investments on July 31, 2013. The breach occurred on July 10, 2013, when an unauthorized individual accessed a report that included personal information of Oracle Corporation employees, such as names and Social Security numbers. The total number of individuals affected is unknown.
Date Detected: 2013-07-10
Date Publicly Disclosed: 2013-07-31
Type: Data Breach
Threat Actor: Unauthorized Individual
Title: Large-Scale Phishing Operation Targeting Hospitality Industry via Malvertising
Description: A sophisticated phishing campaign is targeting the hospitality industry through malicious search engine advertisements (malvertising). Cybercriminals impersonate at least thirteen hotel and vacation rental service providers (including Oracle Hospitality and Airbnb) to steal credentials and breach cloud-based property management systems. The operation employs typosquatted domains, fake login pages, and advanced tactics to bypass multi-factor authentication (MFA), including real-time capture of one-time passwords (OTP) and SMS/email codes. Technical analysis suggests Russian-speaking threat actors, with infrastructure leveraging Russian datacenter proxies and beaconing techniques for victim tracking. The campaign poses significant risks to guest data, payment information, and operational systems across the sector.
Type: phishing
Attack Vector: malicious advertisements (malvertising)typosquatted domainsfake login pagessocial engineering
Vulnerability Exploited: human trust in search engine adslack of phishing-resistant authenticationweak MFA implementations
Threat Actor: Russian-speaking cybercriminalsunknown APT/group (potential initial access brokers)
Motivation: financial gaindata theftfraud (e.g., unauthorized bookings)sale of credentials on dark web
Title: Extortion Campaign Targeting Oracle E-Business Suite Systems
Description: Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems. The campaign began in late September 2025, with extortion emails sent from hundreds of compromised accounts, some linked to the FIN11 threat group (associated with Clop ransomware). The emails contain contact addresses listed on Clop's data leak site, but there is insufficient evidence to confirm if data was actually stolen. Organizations are advised to investigate their Oracle E-Business Suite environments for unusual access or compromise.
Date Detected: 2025-09-29
Date Publicly Disclosed: 2025-09-29
Type: Extortion
Attack Vector: Compromised Email AccountsPotential Zero-Day Exploitation (Oracle E-Business Suite)
Threat Actor: FIN11 (suspected)Clop Ransomware Gang (potential link)
Motivation: Financial Gain (Extortion)
Title: Clop Ransomware Gang Targets Oracle E-Business Suite in Extortion Campaign
Description: Hackers possibly connected to the Russian ransomware gang Clop (FIN11) are attempting to extort corporate executives by threatening to leak sensitive information allegedly stolen through Oracle's E-Business Suite. The campaign, tracked by Mandiant and Google Threat Intelligence Group (GTIG), involves extortion emails sent from compromised accounts, with claims of data theft from Oracle’s widely used business platform. The group has historically exploited vulnerabilities in file transfer tools (e.g., MOVEit, GoAnywhere) to steal and sell data for ransom. Investigations are ongoing, and the veracity of the claims remains unconfirmed.
Date Detected: 2023-09-29
Date Publicly Disclosed: 2023-10-04
Type: Data Breach
Attack Vector: Phishing/Spoofed EmailsExploitation of Vulnerabilities in Oracle E-Business SuiteCompromised Accounts
Threat Actor: Clop (FIN11)Potentially Impersonating Clop
Motivation: Financial Gain (Extortion/Ransom)
Title: Critical Zero-Day Exploit in Oracle E-Business Suite (CVE-2025-61882) Linked to Cl0p Ransomware Attacks
Description: Oracle released an emergency update to patch a critical zero-day vulnerability (CVE-2025-61882, CVSS 9.8) in its E-Business Suite, actively exploited by the Cl0p ransomware group in a high-volume data theft campaign. The flaw allows unauthenticated remote code execution via HTTP in the Oracle Concurrent Processing component. Indicators of compromise (IoCs) suggest involvement of the Scattered LAPSUS$ Hunters group, with evidence of exploit PoCs and malicious IP activity. Mandiant reported the campaign as part of a broader wave of attacks targeting Oracle EBS vulnerabilities, including those patched in July 2025 and the newly disclosed zero-day.
Date Detected: 2025-08
Date Publicly Disclosed: 2025-08
Type: Data Breach
Attack Vector: Network-based (HTTP)Unauthenticated Remote Code Execution
Vulnerability Exploited: CVE-2025-61882 (CVSS 9.8) - Oracle E-Business Suite Concurrent Processing Component
Threat Actor: Cl0p Ransomware GroupScattered LAPSUS$ Hunters
Motivation: Data TheftFinancial Gain (Ransomware)Exploitation of Zero-Day for Mass Compromise
Title: Oracle E-Business Suite Zero-Day Vulnerability Exploitation by Clop Hacking Group
Description: Oracle has patched a zero-day vulnerability (CVE-2025-61882) in its Oracle E-Business Suite, which the Clop hacking group is actively exploiting to steal personal information about corporate executives. The vulnerability allows exploitation over a network without authentication. Oracle urged customers to install the patch immediately, as thousands of organizations globally use the E-Business Suite for critical operations, including storing customer and HR data. The Clop group has been sending extortion emails to executives since late September 2025, demanding ransom payments to prevent the publication of stolen personal data. The exploitation campaign began in August 2025, following Oracle's July patches for previously identified vulnerabilities.
Date Detected: 2025-08-01
Date Publicly Disclosed: 2025-10-02
Type: Data Breach
Attack Vector: Network-based exploitation (no authentication required)Extortion emails
Vulnerability Exploited: CVE-2025-61882 (Zero-day in Oracle E-Business Suite)
Threat Actor: Clop (hacking group linked to ransomware and extortion)
Motivation: Financial gain (extortion)Data theft
Title: Clop Ransomware Exploits Oracle E-Business Suite Zero-Day (CVE-2025-61882) in Data Theft Attacks
Description: The Clop ransomware gang has been exploiting a critical Oracle E-Business Suite (EBS) zero-day bug (CVE-2025-61882) in data theft attacks since at least early August 2025. The vulnerability, patched by Oracle in early October 2025, resides in the BI Publisher Integration component of Oracle EBS's Concurrent Processing, allowing unauthenticated remote code execution (RCE) via a single HTTP request. Clop has been using this flaw to steal sensitive documents and extort victims via email campaigns. Other threat actors, including GRACEFUL SPIDER, may also be involved. Oracle has urged customers to patch immediately, as the public disclosure of the PoC exploit is expected to escalate attacks.
Date Detected: 2025-08-09
Date Publicly Disclosed: 2025-10-03
Type: Data Theft
Attack Vector: Unauthenticated Remote Code Execution (RCE)HTTP Request ExploitationEmail-Based Extortion
Vulnerability Exploited: CVE-2025-61882 (Oracle E-Business Suite BI Publisher Integration Component)
Threat Actor: Clop Ransomware GangGRACEFUL SPIDER (moderate confidence)
Motivation: Financial Gain (Extortion)Data Theft for Leverage
Title: Clop Extortion Gang Exploits Zero-Day in Oracle E-Business Suite to Steal Corporate Data
Description: Security researchers at Google reported that the Clop extortion gang exploited multiple security vulnerabilities, including a zero-day bug, in Oracle’s E-Business Suite software to steal significant amounts of data from dozens of organizations. The campaign, active since at least July 10, targeted corporate executives and involved extortion emails. Oracle initially claimed the vulnerabilities were patched in July, but later confirmed the zero-day could be exploited remotely without credentials. The Clop gang, linked to Russia, is known for mass-hacking campaigns exploiting unknown vulnerabilities in managed file transfer tools and enterprise software.
Date Detected: 2023-10-05T00:00:00Z
Date Publicly Disclosed: 2023-10-05T00:00:00Z
Type: Data Breach
Attack Vector: Exploitation of Zero-Day Vulnerability (CVE Unknown)Network-Based Attack (No Credentials Required)Extortion Emails
Vulnerability Exploited: Zero-Day in Oracle E-Business SuitePreviously Patched Vulnerabilities (Exploited Post-Patch)
Threat Actor: Clop Ransomware/Extortion Gang
Motivation: Financial Gain (Extortion)Data Theft for Dark Web Sale
Title: Oracle E-Business Suite Vulnerabilities (CVE-2025-61884 & CVE-2025-61882) Exploited in Extortion Campaigns
Description: Oracle issued emergency security updates to address critical vulnerabilities (CVE-2025-61884 and CVE-2025-61882) in its E-Business Suite (EBS). The flaws, exploitable remotely without authentication, were linked to extortion campaigns by the Cl0p ransomware group (FIN11). Attackers exploited these vulnerabilities to steal sensitive data, send extortion emails to executives, and potentially gain control of Oracle Concurrent Processing components. Oracle urged immediate patching to mitigate risks, while Google Mandiant and CrowdStrike attributed the attacks to Cl0p with moderate confidence. A proof-of-concept (POC) exploit was disclosed on October 3, 2025, increasing the likelihood of further exploitation by threat actors.
Date Detected: 2025-07-10
Date Publicly Disclosed: 2025-10-14
Type: Vulnerability Exploitation
Attack Vector: NetworkHTTPExploitation of Public-Facing Application
Vulnerability Exploited: CVE-2025-61884 (CVSS 7.5 - Information Disclosure in Runtime UI)CVE-2025-61882 (CVSS 9.8 - Remote Code Execution in BI Publisher Integration/Concurrent Processing)
Threat Actor: Cl0p Ransomware Group (Graceful Spider)FIN11Potential involvement of Scattered Spider, Slippy Spider (Lapsus$), ShinyHunters
Motivation: Financial GainData TheftExtortion
Title: Clop Ransomware Exploits Zero-Day CVE-2025-61882 in Oracle E-Business Suite
Description: The Clop ransomware gang (Graceful Spider) breached Oracle Corporation's internal systems by exploiting a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS). The unauthenticated remote code execution (RCE) flaw allowed attackers to bypass authentication via the OA_HTML/SyncServlet endpoint and inject malicious XSLT templates via OA_HTML/RF.jsp, granting full control over ERP data. The attack, part of a broader supply chain campaign, targeted Oracle and other major entities like Mazda, Humana, and the Washington Post. Clop listed Oracle on its dark web leak site, threatening to release financial and personal records unless ransom demands were met. Evidence links the attack infrastructure to prior MOVEit exploits (CVE-2023-34362), with 96 distinct IPs identified, primarily hosted on Russian-based providers.
Date Detected: 2025-06
Date Publicly Disclosed: 2025-10
Type: Ransomware
Attack Vector: Unauthenticated Remote Code Execution (RCE)Authentication Bypass via SyncServletXSLT Injection via RF.jsp
Vulnerability Exploited: CVE-2025-61882 (Critical, CVSS 9.8)
Threat Actor: Clop Ransomware Gang (Graceful Spider)
Motivation: Financial GainData Extortion
Title: Clop Ransomware Gang Exploits Zero-Day Vulnerability in Oracle E-Business Suite (CVE-2025-61882)
Description: The Clop ransomware gang (Graceful Spider) claimed to have breached Oracle Corporation’s internal systems by exploiting a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS). The unauthenticated remote code execution (RCE) flaw, with a CVSS score of 9.8, was actively exploited since August 2025, two months before Oracle released a patch in October 2025. The attack leveraged the OA_HTML/SyncServlet endpoint for authentication bypass and malicious XSLT injection via OA_HTML/RF.jsp. Clop listed Oracle and high-profile customers (e.g., Mazda, Humana, Washington Post) on its dark web leak site, threatening data exposure unless ransom demands were met. Evidence suggests Oracle may have been compromised via its own unpatched EBS software, risking exposure of internal corporate and customer data.
Date Detected: 2025-08
Type: Ransomware Attack
Attack Vector: Unauthenticated Remote Code Execution (RCE)Authentication Bypass via SyncServletXSLT Injection via RF.jsp
Vulnerability Exploited: Cve Id: CVE-2025-61882, Affected Product: Oracle E-Business Suite (Versions 12.2.3 – 12.2.14), Vulnerability Type: Unauthenticated Remote Code Execution (RCE), Cvss Score: 9.8, Authentication BypassXSLT InjectionPatch Status: Patched in October 2025 (exploited since August 2025).
Threat Actor: Name: ['Clop Ransomware Gang', 'Graceful Spider']Origin: Russian-linkedConfirmed Victims: 1025Ransom Extracted: $500 million (since 2019)Associated Infrastructure: {'ip_addresses': 96, 'reused_ips_from_moveit': 41, 'geographic_distribution': [{'country': 'Germany', 'ip_count': 16}, {'country': 'Brazil', 'ip_count': 13}, {'country': 'Panama', 'ip_count': 12}], 'service_providers': ['Russian-based']}
Motivation: Financial GainData ExtortionReputation Damage
Title: Parexel Data Breach Involving Sensitive Personal Information
Description: Parexel reported a data breach where sensitive personal identifiable information in its Oracle OCI E-Business Suite environment may have been compromised. An unauthorized third party accessed the data, leading to the exposure of personal and financial information of employees.
Date Detected: 2025-10-04
Date Publicly Disclosed: 2025-12-17
Type: Data Breach
Threat Actor: Unauthorized third party
Title: Clop Ransomware Gang Steals Data of 3.5 Million University of Phoenix Students and Staff
Description: The Clop ransomware gang has stolen the data of nearly 3.5 million University of Phoenix (UoPX) students, staff, and suppliers after breaching the university's network in August 2025. The attackers exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS) financial application to steal sensitive personal and financial information.
Date Detected: 2025-11-21
Date Publicly Disclosed: 2025-12-01
Type: Data Breach, Ransomware
Attack Vector: Exploitation of zero-day vulnerability (CVE-2025-61882)
Vulnerability Exploited: CVE-2025-61882 (Oracle E-Business Suite)
Threat Actor: Clop ransomware gang
Motivation: Extortion, Data Theft
Title: University of Phoenix Data Breach
Description: In November 2025, University of Phoenix discovered a major data breach that may have affected millions of current and former students and staff. A vulnerability in Oracle E-Business Suite software was exploited by the CL0P ransomware group between Aug. 13 and Aug. 22, 2025, resulting in the exfiltration of sensitive data.
Date Detected: 2025-11-21
Date Publicly Disclosed: 2025-12-21
Type: Data Breach
Attack Vector: Exploitation of software vulnerability
Vulnerability Exploited: Oracle E-Business Suite software vulnerability
Threat Actor: CL0P ransomware group
Title: Oracle Discloses Critical Proxy Vulnerability in Fusion Middleware (CVE-2026-21962)
Description: Oracle has revealed a severe security flaw (CVE-2026-21962) in its Fusion Middleware suite, specifically affecting the Oracle HTTP Server and WebLogic Server Proxy Plug-in. The vulnerability, rated CVSS 10.0, enables unauthenticated remote attackers to exploit systems without user interaction, posing a major risk to enterprise environments. The flaw lies in how the WebLogic Server Proxy Plug-ins for Apache HTTP Server and Microsoft IIS process incoming requests. Due to its location in the proxy layer, attackers can bypass security controls entirely, gaining unauthorized access to sensitive data and the ability to create, delete, or modify system data. The vulnerability’s 'Scope Change' (S:C) metric indicates that successful exploitation could extend beyond the plug-in, potentially compromising backend WebLogic Server environments.
Type: Vulnerability Exploitation
Attack Vector: Remote
Vulnerability Exploited: CVE-2026-21962
Title: Ransomware in 2025: A Systemic Threat Disrupting Global Supply Chains and Critical Services
Description: In 2025, ransomware evolved from isolated IT disruptions into a systemic risk, threatening national supply chains, essential services, and entire industries. The top 10 ransomware attacks of 2025 exposed vulnerabilities across sectors, including SaaS supply chain blind spots, zero-day attacks, and sustained sieges on critical infrastructure.
Date Publicly Disclosed: 2025
Type: Ransomware
Attack Vector: Stolen credentialsSocial engineeringSupply chain vulnerabilities
Vulnerability Exploited: Zero-daySaaS supply chain blind spotsIT-OT convergence risks
Motivation: Financial gainExtortionOperational disruption
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Ransomware.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through CVE-2021-35587, malvertising (malicious search engine ads)typosquatted domains, Compromised Email Accounts, Compromised Email AccountsPotential Exploitation of Oracle E-Business Suite Vulnerabilities, Oracle E-Business Suite Concurrent Processing Component (via HTTP), CVE-2025-61882 (Oracle E-Business Suite zero-day), CVE-2025-61882 (Oracle EBS BI Publisher), Zero-Day Vulnerability in Oracle E-Business Suite (Network-Based, No Authentication Required), Exploitation of Oracle EBS Vulnerabilities (CVE-2025-61882, CVE-2025-61884)Hacked User EmailsDefault Password Reset Mechanisms, OA_HTML/SyncServlet (Authentication Bypass) & OA_HTML/RF.jsp (XSLT Injection), Oracle E-Business Suite (EBS) SyncServlet endpoint, Oracle E-Business Suite (EBS) zero-day vulnerability (CVE-2025-61882) and Stolen credentialsSocial engineering.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach ORA392622
Data Compromised: Credit card payment information
Systems Affected: MICROS Point-of-Sale Systems
Payment Information Risk: True
Incident : Data Breach ORA344032125
Data Compromised: Sso passwords, Java keystore files, Key files, Jps keys
Systems Affected: Oracle Cloud SSO login servers
Brand Reputation Impact: Potential undermining of trust in Oracle's cloud security
Incident : Data Breach ORA615032225
Data Compromised: Jks files, Encrypted sso passwords, Key files, Jps keys
Incident : Data Breach ORA526032825
Data Compromised: Electronic health records (ehr)
Systems Affected: Legacy Servers
Legal Liabilities: Potential HIPAA violations
Incident : Data Breach ORA455040125
Systems Affected: legacy Cerner data migration servers
Incident : Data Breach ORA656040225
Data Compromised: Personal Information
Systems Affected: Login ServersLegacy Cerner Data
Brand Reputation Impact: Damaged Reputation
Incident : Data Breach ORA956040325
Data Compromised: Usernames, Email addresses, Hashed passwords, Sso credentials, Ldap credentials, Jks files, Enterprise manager jps keys
Systems Affected: Gen 1 serverslegacy systems
Incident : Data Breach ORA720082025
Data Compromised: Names, Social security numbers
Identity Theft Risk: High (PII exposed)
Incident : phishing ORA805090225
Data Compromised: Guest personal information, Payment data, Booking system credentials, Operational data
Systems Affected: cloud-based property management systemsguest messaging platformsauthentication systems
Operational Impact: potential unauthorized access to booking systemsreputation damagecustomer trust erosion
Brand Reputation Impact: high (due to impersonation of major brands like Oracle Hospitality and Airbnb)
Identity Theft Risk: ['high (guest PII and payment data exposed)']
Payment Information Risk: ['high (credit card details and transaction data at risk)']
Incident : Extortion ORA4062140100225
Systems Affected: Oracle E-Business Suite (potential)
Brand Reputation Impact: Potential (due to extortion claims)
Incident : Data Breach ORA1092210100225
Data Compromised: Potentially finance, hr, and supply chain data (oracle e-business suite)
Systems Affected: Oracle E-Business Suite
Brand Reputation Impact: High (Potential Reputation Damage Due to Extortion Threats)
Identity Theft Risk: Potential (If PII Stolen)
Incident : Data Breach ORA5662156100625
Data Compromised: Large amounts of data (exact scope undisclosed)
Systems Affected: Oracle E-Business Suite (Concurrent Processing Component)
Brand Reputation Impact: High (due to zero-day exploitation and association with Cl0p ransomware)
Identity Theft Risk: Potential (depends on stolen data types)
Incident : Data Breach ORA4993249100625
Data Compromised: Personal information of corporate executives, Customer data, Employee hr files
Systems Affected: Oracle E-Business Suite
Brand Reputation Impact: High (extortion campaign targeting executives, potential data leaks)
Identity Theft Risk: High (personal information of executives targeted)
Incident : Data Theft ORA1692116100725
Data Compromised: Sensitive documents, Potentially pii or corporate data
Systems Affected: Oracle E-Business Suite (EBS) with unpatched BI Publisher Integration
Brand Reputation Impact: High (due to extortion and potential data leaks)
Identity Theft Risk: ['Potential (if PII was stolen)']
Incident : Data Breach ORA4202442101025
Data Compromised: Corporate executive data, Customer data, Employee hr files, Sensitive corporate data
Systems Affected: Oracle E-Business Suite
Brand Reputation Impact: High (Associated with Mass Hacking Campaign)
Identity Theft Risk: High (Personal Information of Executives Compromised)
Incident : Vulnerability Exploitation ORA0832608101425
Data Compromised: Sensitive resources, Potential oracle e-business suite data (as claimed in extortion emails)
Systems Affected: Oracle E-Business Suite (Versions 12.2.3–12.2.14)Runtime UI ComponentBI Publisher IntegrationConcurrent Processing Component
Operational Impact: Potential Disruption Due to Unauthorized AccessEmergency Patching Requirements
Brand Reputation Impact: Potential Reputation Damage Due to Data Theft Claims and Extortion Campaigns
Identity Theft Risk: ['High (Due to Potential Exposure of Sensitive Data)']
Incident : Ransomware ORA4332743112125
Data Compromised: Financial records, Personal records, Erp data
Systems Affected: Oracle E-Business Suite (Versions 12.2.3–12.2.14)Internal Corporate Systems
Operational Impact: Potential disruption to order management, procurement, and logistics functions
Brand Reputation Impact: High (public listing on dark web leak site)
Identity Theft Risk: High (personal records exposed)
Incident : Ransomware Attack ORA5233252112125
Data Compromised: Internal corporate data, Customer information, Financial records, Personal data
Systems Affected: Oracle E-Business Suite (EBS) ServersEnterprise Resource Planning (ERP) Systems
Operational Impact: Potential disruption to order management, procurement, and logistics
Brand Reputation Impact: High (public listing on dark web leak site)
Identity Theft Risk: ['High (PII exposure risk)']
Incident : Data Breach ORAPAR1766015901
Data Compromised: Sensitive personal identifiable information
Systems Affected: Oracle OCI E-Business Suite (Oracle EBS)
Identity Theft Risk: High
Payment Information Risk: High
Incident : Data Breach, Ransomware PRIORAUNI1766419165
Data Compromised: 3,489,274 records
Systems Affected: Oracle E-Business Suite (EBS) financial application
Brand Reputation Impact: Yes
Legal Liabilities: Potential regulatory fines and legal actions
Identity Theft Risk: Yes
Payment Information Risk: Yes
Incident : Data Breach ORA1766435444
Data Compromised: Sensitive personally identifiable information
Systems Affected: Oracle E-Business Suite
Identity Theft Risk: High
Payment Information Risk: High
Incident : Vulnerability Exploitation ORA1768994894
Data Compromised: Sensitive data
Systems Affected: Oracle HTTP Server, WebLogic Server Proxy Plug-in
Operational Impact: Unauthorized creation, deletion, or modification of system data
Incident : Ransomware THEINGSALJAGORASYNDAV1769095448
Financial Loss: $275 billion annually by 2031 (projected global cost)
Systems Affected: SaaS platformsIT distribution networksHealthcare infrastructureManufacturing OT systemsAviation systems
Downtime: True
Operational Impact: Crippling automotive operationsParalyzing global IT distributionHealthcare disruption with confirmed patient harmManufacturing haltsGrounding of European airports
Revenue Loss: True
What is the average financial loss per incident ?
Average Financial Loss: The average financial loss per incident is $11.96 billion.
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Credit Card Payment Information, , Sso Passwords, Java Keystore Files, Key Files, Jps Keys, , Jks Files, Encrypted Sso Passwords, Key Files, Jps Keys, , Electronic Health Records (Ehr), , Sensitive Customer Data, , Personal Information, Usernames, Email Addresses, Hashed Passwords, Sso Credentials, Ldap Credentials, Jks Files, Enterprise Manager Jps Keys, , Personally Identifiable Information (Pii), , Credentials (Usernames, Passwords), Pii (Email Addresses, Phone Numbers), Guest Data, Payment Information, Booking Details, , Potentially Finance, Hr, Supply Chain Data, Client Credentials (From January Incident), , Personal Information (Executives), Customer Data, Employee Hr Files, , Sensitive Corporate Documents, Potentially Pii, , Personally Identifiable Information (Pii) Of Executives, Customer Data, Employee Hr Files, Corporate Sensitive Data, , Sensitive Resources, Potentially Oracle Ebs Data (As Per Extortion Claims), , Financial Records, Personal Records, Erp Data, , Corporate Internal Data, Customer Information, Financial Records, Personal Data, , Name, Social Security Number, Date Of Birth, Financial Account Number, Payment Card Number (Without Cvv), National Id Number, , Personal Information, Financial Information, , Names, Dates Of Birth, Social Security Numbers, Bank Account Numbers, Bank Routing Numbers, and Sensitive data.
Which entities were affected by each incident ?
Incident : Data Breach ORA615032225
Entity Name: Oracle Cloud
Entity Type: Cloud Service Provider
Industry: Technology
Customers Affected: 140,000 tenants
Incident : Data Breach ORA526032825
Entity Name: Oracle Health
Entity Type: Healthcare Technology Company
Industry: Healthcare
Location: United States
Customers Affected: Multiple US healthcare organizations and hospitals
Incident : Data Breach ORA455040125
Entity Name: Oracle Health
Entity Type: Company
Industry: Healthcare
Incident : Data Breach ORA956040325
Entity Name: Oracle Corporation
Entity Type: Corporation
Industry: Technology
Incident : Data Breach ORA720082025
Entity Name: Fidelity Investments
Entity Type: Financial Services
Industry: Investment Management
Location: United States
Incident : Data Breach ORA720082025
Entity Name: Oracle Corporation
Entity Type: Corporation
Industry: Technology
Location: United States
Customers Affected: Unknown (employees affected)
Incident : phishing ORA805090225
Entity Name: Oracle Hospitality
Entity Type: technology provider
Industry: hospitality
Location: global
Size: large enterprise
Incident : phishing ORA805090225
Entity Name: Airbnb
Entity Type: vacation rental platform
Industry: hospitality
Location: global
Size: large enterprise
Incident : phishing ORA805090225
Entity Name: Unnamed hotel and vacation rental providers (11+ others)
Entity Type: hotel chains, property management companies, vacation rental services
Industry: hospitality
Location: global
Incident : Extortion ORA4062140100225
Entity Type: Multiple Companies (Executives Targeted)
Incident : Data Breach ORA1092210100225
Entity Name: Oracle (Primary Target)
Entity Type: Corporation
Industry: Technology/Enterprise Software
Location: Global (HQ: Redwood Shores, California, USA)
Size: Large (Fortune 100)
Customers Affected: Numerous Organizations (Exact Number Undisclosed)
Incident : Data Breach ORA5662156100625
Entity Name: Oracle Corporation
Entity Type: Technology Vendor
Industry: Enterprise Software
Location: Global (HQ: Redwood City, California, USA)
Size: Large (Multinational)
Customers Affected: Multiple (exact number undisclosed)
Incident : Data Breach ORA4993249100625
Entity Name: Oracle Corporation
Entity Type: Technology Company
Industry: Enterprise Software
Location: Global (HQ: Redwood Shores, California, USA)
Size: Large (thousands of organizations use Oracle E-Business Suite)
Customers Affected: Multiple (exact number unspecified, includes corporate executives)
Incident : Data Theft ORA1692116100725
Entity Name: Multiple Organizations Using Oracle E-Business Suite
Entity Type: Corporations, Enterprises
Location: Global (targeting internet-exposed EBS applications)
Incident : Data Breach ORA4202442101025
Entity Name: Oracle Corporation
Entity Type: Software Vendor
Industry: Technology
Location: Redwood City, California, USA
Size: Large Enterprise
Customers Affected: Dozens of Organizations (Exact Number Undisclosed)
Incident : Vulnerability Exploitation ORA0832608101425
Entity Name: Oracle Corporation
Entity Type: Software Vendor
Industry: Technology
Location: Global (HQ: Redwood City, California, USA)
Size: Large Enterprise
Customers Affected: Multiple (Exact Number Unspecified)
Incident : Vulnerability Exploitation ORA0832608101425
Entity Name: Unspecified Organizations Using Oracle E-Business Suite
Entity Type: Enterprises, Government Agencies, Potential High-Value Targets
Location: Global
Incident : Ransomware ORA4332743112125
Entity Name: Oracle Corporation
Entity Type: Technology Vendor
Industry: Enterprise Software
Location: United States
Size: Large (Multinational)
Incident : Ransomware ORA4332743112125
Entity Name: MAZDA.COM
Entity Type: Corporate
Industry: Automotive
Incident : Ransomware ORA4332743112125
Entity Name: HUMANA.COM
Entity Type: Corporate
Industry: Healthcare Insurance
Incident : Ransomware ORA4332743112125
Entity Name: Washington Post
Entity Type: Media
Industry: News/Publishing
Incident : Ransomware Attack ORA5233252112125
Entity Name: Oracle Corporation
Entity Type: Technology Vendor
Industry: Enterprise Software
Location: Global (HQ: Redwood City, California, USA)
Size: Large (Multinational)
Customers Affected: Potentially high (internal systems + customers using EBS)
Incident : Ransomware Attack ORA5233252112125
Entity Name: Mazda
Entity Type: Corporation
Industry: Automotive
Location: Global
Incident : Ransomware Attack ORA5233252112125
Entity Name: Humana
Entity Type: Corporation
Industry: Healthcare Insurance
Location: USA
Incident : Ransomware Attack ORA5233252112125
Entity Name: The Washington Post
Entity Type: Media Organization
Industry: News/Publishing
Location: USA
Incident : Data Breach ORAPAR1766015901
Entity Name: Parexel
Entity Type: Company
Industry: Clinical Research, Pharmaceutical
Customers Affected: Employees
Incident : Data Breach, Ransomware PRIORAUNI1766419165
Entity Name: University of Phoenix
Entity Type: Educational Institution
Industry: Higher Education
Location: Phoenix, Arizona, USA
Size: Over 100,000 enrolled students and nearly 3,000 academic staff
Customers Affected: 3,489,274 (current and former students, employees, faculty, and suppliers)
Incident : Data Breach ORA1766435444
Entity Name: University of Phoenix
Entity Type: Educational Institution
Industry: Higher Education
Location: Phoenix, Arizona, USA
Size: Large
Customers Affected: 3,489,274
Incident : Vulnerability Exploitation ORA1768994894
Entity Name: Oracle
Entity Type: Corporation
Industry: Technology/Software
Incident : Ransomware THEINGSALJAGORASYNDAV1769095448
Entity Name: Salesforce Ecosystem
Entity Type: SaaS
Industry: Technology
Incident : Ransomware THEINGSALJAGORASYNDAV1769095448
Entity Name: Oracle E-Business Suite
Entity Type: Enterprise Software
Industry: Technology
Incident : Ransomware THEINGSALJAGORASYNDAV1769095448
Entity Name: Jaguar Land Rover
Entity Type: Automotive
Industry: Manufacturing
Location: UK
Incident : Ransomware THEINGSALJAGORASYNDAV1769095448
Entity Name: Ingram Micro
Entity Type: IT Distribution
Industry: Technology
Location: Global
Incident : Ransomware THEINGSALJAGORASYNDAV1769095448
Entity Name: Co-operative Group
Entity Type: Retail
Industry: Retail
Location: UK
Incident : Ransomware THEINGSALJAGORASYNDAV1769095448
Entity Name: PowerSchool
Entity Type: Education Software
Industry: Education
Incident : Ransomware THEINGSALJAGORASYNDAV1769095448
Entity Name: Synnovis
Entity Type: Healthcare Services
Industry: Healthcare
Incident : Ransomware THEINGSALJAGORASYNDAV1769095448
Entity Name: DaVita
Entity Type: Healthcare
Industry: Healthcare
Incident : Ransomware THEINGSALJAGORASYNDAV1769095448
Entity Name: Asahi Group
Entity Type: Manufacturing
Industry: Manufacturing
Incident : Ransomware THEINGSALJAGORASYNDAV1769095448
Entity Name: Collins Aerospace
Entity Type: Aerospace
Industry: Aviation
Location: Europe
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Breach ORA392622
Containment Measures: Password Change Recommendation
Communication Strategy: Customer Advisory
Incident : Data Breach ORA526032825
Communication Strategy: Criticized for lack of transparency
Incident : Data Breach ORA455040125
Communication Strategy: Private letters to customers
Incident : Data Breach ORA656040225
Communication Strategy: Outright DenialPotentially Misleading StatementsAccusations of Deleting Evidence Online
Incident : Data Breach ORA956040325
Remediation Measures: Informed clientsBolstered Gen 1 server security
Incident : Data Breach ORA720082025
Law Enforcement Notified: Yes (California Office of the Attorney General)
Incident : phishing ORA805090225
Third Party Assistance: Okta Threat Intelligence (Analysis By Moussa Diallo).
Containment Measures: monitoring for suspicious domain registrationsblocking known malicious domains
Remediation Measures: implementation of phishing-resistant authentication (e.g., passkeys, FIDO2 WebAuthn)adaptive risk assessments for unusual access patterns
Communication Strategy: customer advisories about impersonation attemptsindustry-wide alerts
Enhanced Monitoring: real-time tracking of typosquatted domainsbeaconing detection
Incident : Extortion ORA4062140100225
Incident Response Plan Activated: Recommended (investigate Oracle E-Business Suite environments)
Third Party Assistance: Mandiant (Google Cloud), Gtig.
Enhanced Monitoring: Recommended (for unusual access)
Incident : Data Breach ORA1092210100225
Incident Response Plan Activated: True
Third Party Assistance: Mandiant (Google Cloud), Google Threat Intelligence Group (Gtig).
Communication Strategy: Public Warning via Cybersecurity Firms (Mandiant, GTIG)Media Outreach (Recorded Future News)
Incident : Data Breach ORA5662156100625
Incident Response Plan Activated: True
Third Party Assistance: Mandiant (Google Cloud).
Containment Measures: Emergency Patch Release (CVE-2025-61882)Advisory for Customer Mitigation
Remediation Measures: Patch ApplicationInvestigation into Potential Prior Compromise
Communication Strategy: Public AdvisoryLinkedIn Post by Oracle CSOMandiant Technical Alert
Enhanced Monitoring: Recommended for customers to detect prior compromise
Incident : Data Breach ORA4993249100625
Incident Response Plan Activated: Yes (Oracle released patch and urged immediate installation)
Third Party Assistance: Google Mandiant (Investigation And Advisory).
Containment Measures: Patch release (CVE-2025-61882)Indicators of Compromise (IoCs) shared with customers
Remediation Measures: Urgent patch installation recommended for all customers
Communication Strategy: Public security advisory by Oracle CSO Rob DuhartLinkedIn post by Google Mandiant CTO Charles Carmakal
Incident : Data Theft ORA1692116100725
Incident Response Plan Activated: ['Oracle Security Alert (Urgent Patching Advisory)']
Third Party Assistance: Crowdstrike (Detection And Analysis), Mandiant (Investigation), Google Threat Intelligence Group (Gtig).
Containment Measures: Patching CVE-2025-61882Disabling Exposed EBS Components
Communication Strategy: Oracle Customer AdvisoryPublic Disclosure of PoC Risks
Enhanced Monitoring: Recommended for Oracle EBS Environments
Incident : Data Breach ORA4202442101025
Incident Response Plan Activated: Yes (Google and Oracle)
Third Party Assistance: Google Security Researchers.
Remediation Measures: Oracle Security Advisory IssuedTechnical Indicators Shared by Google for Detection
Communication Strategy: Public Advisory by OracleBlog Post by GoogleMedia Statements
Enhanced Monitoring: Recommended (Google Provided Indicators for Detection)
Incident : Vulnerability Exploitation ORA0832608101425
Incident Response Plan Activated: Yes (Oracle Released Emergency Security Alerts and Patches)
Third Party Assistance: Google Threat Intelligence, Mandiant, Crowdstrike.
Containment Measures: Emergency Patching (CVE-2025-61884 & CVE-2025-61882)Urgent Advisory for Customers to Apply Updates
Remediation Measures: Patch DeploymentMitigation Guidance for Unpatched Systems
Communication Strategy: Public Security AdvisoriesDirect Customer Notifications
Enhanced Monitoring: Recommended (Oracle Advised Customers to Monitor for Exploitation Attempts)
Incident : Ransomware ORA4332743112125
Remediation Measures: Patch released in October 2025 Security Alert
Incident : Ransomware Attack ORA5233252112125
Third Party Assistance: Security Researchers (The Raven File).
Remediation Measures: Oracle released patch in October 2025
Incident : Data Breach ORAPAR1766015901
Communication Strategy: Data breach notification letters mailed to impacted individuals
Incident : Data Breach, Ransomware PRIORAUNI1766419165
Communication Strategy: Public disclosure on official website, SEC filing, notification letters to affected individuals
Incident : Data Breach ORA1766435444
Communication Strategy: Written notice to affected individuals on Dec. 22, 2025
Incident : Vulnerability Exploitation ORA1768994894
Containment Measures: Restricted network access to affected HTTP ports
Remediation Measures: Patches released in Critical Patch Update (CPU)
What is the company's incident response plan?
Incident Response Plan: The company's incident response plan is described as Recommended (investigate Oracle E-Business Suite environments), , , Yes (Oracle released patch and urged immediate installation), Oracle Security Alert (Urgent Patching Advisory), , Yes (Google and Oracle), Yes (Oracle Released Emergency Security Alerts and Patches).
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Okta Threat Intelligence (analysis by Moussa Diallo), , Mandiant (Google Cloud), GTIG, , Mandiant (Google Cloud), Google Threat Intelligence Group (GTIG), , Mandiant (Google Cloud), , Google Mandiant (investigation and advisory), , CrowdStrike (Detection and Analysis), Mandiant (Investigation), Google Threat Intelligence Group (GTIG), , Google Security Researchers, , Google Threat Intelligence, Mandiant, CrowdStrike, , Security researchers (THE RAVEN FILE), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach ORA392622
Type of Data Compromised: Credit card payment information
Sensitivity of Data: High
Incident : Data Breach ORA344032125
Type of Data Compromised: Sso passwords, Java keystore files, Key files, Jps keys
Number of Records Exposed: 6 million
Sensitivity of Data: High
Data Encryption: Encrypted and hashed passwords
Incident : Data Breach ORA615032225
Type of Data Compromised: Jks files, Encrypted sso passwords, Key files, Jps keys
Number of Records Exposed: 6 million
Sensitivity of Data: High
Data Exfiltration: Yes
Data Encryption: Yes
File Types Exposed: JKS filesSSO passwordsKey filesJPS keys
Incident : Data Breach ORA526032825
Type of Data Compromised: Electronic health records (ehr)
Data Exfiltration: Electronic Health Records (EHR)
Incident : Data Breach ORA455040125
Type of Data Compromised: Sensitive customer data
Sensitivity of Data: High
Incident : Data Breach ORA656040225
Type of Data Compromised: Personal Information
Incident : Data Breach ORA956040325
Type of Data Compromised: Usernames, Email addresses, Hashed passwords, Sso credentials, Ldap credentials, Jks files, Enterprise manager jps keys
Number of Records Exposed: 6 million
Sensitivity of Data: High
File Types Exposed: JKS filesJPS keys
Incident : Data Breach ORA720082025
Type of Data Compromised: Personally identifiable information (pii)
Number of Records Exposed: Unknown
Sensitivity of Data: High
Data Exfiltration: Yes (report accessed)
Personally Identifiable Information: NamesSocial Security Numbers
Incident : phishing ORA805090225
Type of Data Compromised: Credentials (usernames, passwords), Pii (email addresses, phone numbers), Guest data, Payment information, Booking details
Sensitivity of Data: high (financial and personal identifiable information)
Data Exfiltration: likely (credentials sold on dark web)
Personally Identifiable Information: namesemail addressesphone numberspotential payment card data
Incident : Extortion ORA4062140100225
Data Exfiltration: Claimed (unsubstantiated)
Incident : Data Breach ORA1092210100225
Type of Data Compromised: Potentially finance, hr, supply chain data, Client credentials (from january incident)
Sensitivity of Data: High (Enterprise-Critical and Potentially PII)
Data Exfiltration: Claimed by Threat Actor (Unverified)
Personally Identifiable Information: Potential (If HR Data Compromised)
Incident : Data Breach ORA5662156100625
Incident : Data Breach ORA4993249100625
Type of Data Compromised: Personal information (executives), Customer data, Employee hr files
Sensitivity of Data: High (personal and corporate-sensitive data)
Data Exfiltration: Yes (evidenced by extortion emails)
Personally Identifiable Information: Yes (executives' personal data)
Incident : Data Theft ORA1692116100725
Type of Data Compromised: Sensitive corporate documents, Potentially pii
Sensitivity of Data: High (confidential business documents)
Data Exfiltration: Confirmed (by Clop for extortion)
Personally Identifiable Information: Possible (not explicitly confirmed)
Incident : Data Breach ORA4202442101025
Type of Data Compromised: Personally identifiable information (pii) of executives, Customer data, Employee hr files, Corporate sensitive data
Sensitivity of Data: High
Data Exfiltration: Confirmed
Personally Identifiable Information: Yes (Executives and Employees)
Incident : Vulnerability Exploitation ORA0832608101425
Type of Data Compromised: Sensitive resources, Potentially oracle ebs data (as per extortion claims)
Sensitivity of Data: High (Potential Access to Confidential Business Data)
Data Exfiltration: Claimed in Extortion Emails (Unverified)
Incident : Ransomware ORA4332743112125
Type of Data Compromised: Financial records, Personal records, Erp data
Sensitivity of Data: High
Data Exfiltration: Confirmed (threatened release on dark web)
Personally Identifiable Information: Yes
Incident : Ransomware Attack ORA5233252112125
Type of Data Compromised: Corporate internal data, Customer information, Financial records, Personal data
Sensitivity of Data: High
Data Exfiltration: Claimed by Clop (evidenced by dark web leak site listing)
Personally Identifiable Information: Likely (based on extortion threats)
Incident : Data Breach ORAPAR1766015901
Type of Data Compromised: Name, Social security number, Date of birth, Financial account number, Payment card number (without cvv), National id number
Sensitivity of Data: High
Personally Identifiable Information: Yes
Incident : Data Breach, Ransomware PRIORAUNI1766419165
Type of Data Compromised: Personal information, Financial information
Number of Records Exposed: 3,489,274
Sensitivity of Data: High (Social Security numbers, bank account and routing numbers, dates of birth, contact information)
Data Exfiltration: Yes
Personally Identifiable Information: Yes
Incident : Data Breach ORA1766435444
Type of Data Compromised: Names, Dates of birth, Social security numbers, Bank account numbers, Bank routing numbers
Number of Records Exposed: 3,489,274
Sensitivity of Data: High
Data Exfiltration: Yes
Personally Identifiable Information: Yes
Incident : Vulnerability Exploitation ORA1768994894
Type of Data Compromised: Sensitive data
Incident : Ransomware THEINGSALJAGORASYNDAV1769095448
Data Encryption: True
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Informed clients, Bolstered Gen 1 server security, , implementation of phishing-resistant authentication (e.g., passkeys, FIDO2 WebAuthn), adaptive risk assessments for unusual access patterns, , Patch Application, Investigation into Potential Prior Compromise, , Urgent patch installation recommended for all customers, , Oracle Security Advisory Issued, Technical Indicators Shared by Google for Detection, , Patch Deployment, Mitigation Guidance for Unpatched Systems, , Patch released in October 2025 Security Alert, , Oracle released patch in October 2025, , Patches released in Critical Patch Update (CPU).
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by password change recommendation, , monitoring for suspicious domain registrations, blocking known malicious domains, , emergency patch release (cve-2025-61882), advisory for customer mitigation, , patch release (cve-2025-61882), indicators of compromise (iocs) shared with customers, , patching cve-2025-61882, disabling exposed ebs components, , emergency patching (cve-2025-61884 & cve-2025-61882), urgent advisory for customers to apply updates, and restricted network access to affected http ports.
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Extortion ORA4062140100225
Ransomware Strain: Clop (potential link)
Data Exfiltration: Claimed (unsubstantiated)
Incident : Data Breach ORA1092210100225
Ransomware Strain: Clop (Claimed Affiliation)
Data Exfiltration: Claimed (Unverified)
Incident : Data Breach ORA4993249100625
Ransom Demanded: Yes (extortion emails sent to executives)
Data Exfiltration: Yes
Incident : Data Theft ORA1692116100725
Ransom Demanded: ['Undisclosed (extortion emails sent to executives)']
Ransomware Strain: Clop
Data Encryption: ['No (data theft-only campaign)']
Data Exfiltration: ['Yes']
Incident : Vulnerability Exploitation ORA0832608101425
Ransom Demanded: Extortion Emails Sent (Amount Unspecified)
Ransomware Strain: Cl0p
Data Exfiltration: Claimed (Unverified)
Incident : Ransomware Attack ORA5233252112125
Ransomware Strain: Clop
Data Exfiltration: Confirmed (threatened public release)
Incident : Ransomware THEINGSALJAGORASYNDAV1769095448
Ransom Demanded: True
Data Encryption: True
Data Exfiltration: True
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Data Breach ORA526032825
Regulations Violated: HIPAA,
Incident : Data Breach ORA720082025
Regulatory Notifications: California Office of the Attorney General
Incident : Data Breach ORA1092210100225
Regulatory Notifications: CISA Warning (January Incident, Potentially Linked)
Incident : Data Theft ORA1692116100725
Regulatory Notifications: Oracle Customer Advisory (non-regulatory)
Incident : Data Breach ORAPAR1766015901
Regulatory Notifications: Reported to the Attorney General of the Commonwealth of Massachusetts
Incident : Data Breach, Ransomware PRIORAUNI1766419165
Regulations Violated: Potential violations of data protection laws (e.g., FERPA, GDPR if applicable),
Regulatory Notifications: Filed with Maine's Attorney General, SEC filing
Incident : Data Breach ORA1766435444
Regulatory Notifications: California Attorney General's officeMaine Attorney General's office
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : phishing ORA805090225
Lessons Learned: Malvertising is an effective initial access vector for targeted phishing campaigns., MFA bypass techniques (e.g., real-time OTP capture) undermine traditional authentication methods., Typosquatted domains and convincing phishing pages can evade user scrutiny., Russian-speaking threat actors continue to leverage proxy infrastructure for anonymity., Hospitality industry is a high-value target due to sensitive guest data and payment systems.
Incident : Data Breach ORA5662156100625
Lessons Learned: Zero-day vulnerabilities in widely used enterprise software like Oracle E-Business Suite can lead to rapid, high-impact exploitation by multiple threat actors. Organizations must prioritize patch management and assume breach scenarios even after patching, given the likelihood of prior compromise during mass exploitation campaigns.
Incident : Data Theft ORA1692116100725
Lessons Learned: Zero-day vulnerabilities in enterprise software like Oracle EBS are high-value targets for ransomware groups., Public PoC disclosures accelerate exploitation by multiple threat actors., Proactive patching and exposure management are critical for mitigating RCE risks.
Incident : Data Breach ORA4202442101025
Lessons Learned: Zero-day vulnerabilities in widely used enterprise software can lead to large-scale data breaches. Proactive patch management and monitoring for unusual network activity are critical. Vendors must ensure transparent communication during ongoing incidents to avoid misinformation.
Incident : Vulnerability Exploitation ORA0832608101425
Lessons Learned: Critical Importance of Timely Patching for Public-Facing Applications, Risks of Zero-Day Exploitation in Enterprise Software, Need for Enhanced Monitoring of Oracle EBS Instances, Potential for Mass Extortion Campaigns Leveraging Stolen Credentials
Incident : Ransomware THEINGSALJAGORASYNDAV1769095448
Lessons Learned: Ransomware has evolved into a systemic risk with cascading impacts on supply chains, critical services, and industries. Initial access often relies on stolen credentials or social engineering, and supply chain vulnerabilities amplify the impact. Data theft and operational paralysis are primary damage drivers, with delayed consequences such as regulatory penalties or human harm.
What recommendations were made to prevent future incidents ?
Incident : Data Breach ORA392622
Recommendations: Change Passwords, Enhance Security MeasuresChange Passwords, Enhance Security Measures
Incident : phishing ORA805090225
Recommendations: Adopt phishing-resistant authentication (e.g., passkeys, FIDO2 WebAuthn)., Implement adaptive risk assessments to detect anomalous access patterns., Monitor for suspicious domain registrations (e.g., typosquatting)., Educate employees and customers about malvertising and phishing risks., Deploy behavioral analytics to detect beaconing and tracking scripts., Restrict access to property management systems with zero-trust principles., Collaborate with threat intelligence providers (e.g., Okta) for IOCs.Adopt phishing-resistant authentication (e.g., passkeys, FIDO2 WebAuthn)., Implement adaptive risk assessments to detect anomalous access patterns., Monitor for suspicious domain registrations (e.g., typosquatting)., Educate employees and customers about malvertising and phishing risks., Deploy behavioral analytics to detect beaconing and tracking scripts., Restrict access to property management systems with zero-trust principles., Collaborate with threat intelligence providers (e.g., Okta) for IOCs.Adopt phishing-resistant authentication (e.g., passkeys, FIDO2 WebAuthn)., Implement adaptive risk assessments to detect anomalous access patterns., Monitor for suspicious domain registrations (e.g., typosquatting)., Educate employees and customers about malvertising and phishing risks., Deploy behavioral analytics to detect beaconing and tracking scripts., Restrict access to property management systems with zero-trust principles., Collaborate with threat intelligence providers (e.g., Okta) for IOCs.Adopt phishing-resistant authentication (e.g., passkeys, FIDO2 WebAuthn)., Implement adaptive risk assessments to detect anomalous access patterns., Monitor for suspicious domain registrations (e.g., typosquatting)., Educate employees and customers about malvertising and phishing risks., Deploy behavioral analytics to detect beaconing and tracking scripts., Restrict access to property management systems with zero-trust principles., Collaborate with threat intelligence providers (e.g., Okta) for IOCs.Adopt phishing-resistant authentication (e.g., passkeys, FIDO2 WebAuthn)., Implement adaptive risk assessments to detect anomalous access patterns., Monitor for suspicious domain registrations (e.g., typosquatting)., Educate employees and customers about malvertising and phishing risks., Deploy behavioral analytics to detect beaconing and tracking scripts., Restrict access to property management systems with zero-trust principles., Collaborate with threat intelligence providers (e.g., Okta) for IOCs.Adopt phishing-resistant authentication (e.g., passkeys, FIDO2 WebAuthn)., Implement adaptive risk assessments to detect anomalous access patterns., Monitor for suspicious domain registrations (e.g., typosquatting)., Educate employees and customers about malvertising and phishing risks., Deploy behavioral analytics to detect beaconing and tracking scripts., Restrict access to property management systems with zero-trust principles., Collaborate with threat intelligence providers (e.g., Okta) for IOCs.Adopt phishing-resistant authentication (e.g., passkeys, FIDO2 WebAuthn)., Implement adaptive risk assessments to detect anomalous access patterns., Monitor for suspicious domain registrations (e.g., typosquatting)., Educate employees and customers about malvertising and phishing risks., Deploy behavioral analytics to detect beaconing and tracking scripts., Restrict access to property management systems with zero-trust principles., Collaborate with threat intelligence providers (e.g., Okta) for IOCs.
Incident : Extortion ORA4062140100225
Recommendations: Investigate Oracle E-Business Suite environments for unusual access or compromise, Monitor for high-volume extortion email campaigns from compromised accounts, Assess potential links to FIN11/Clop ransomware activityInvestigate Oracle E-Business Suite environments for unusual access or compromise, Monitor for high-volume extortion email campaigns from compromised accounts, Assess potential links to FIN11/Clop ransomware activityInvestigate Oracle E-Business Suite environments for unusual access or compromise, Monitor for high-volume extortion email campaigns from compromised accounts, Assess potential links to FIN11/Clop ransomware activity
Incident : Data Breach ORA5662156100625
Recommendations: Immediately apply Oracle's emergency patch for CVE-2025-61882., Conduct forensic investigations to detect signs of prior exploitation., Monitor for IoCs, including the listed IP addresses (200.107.207[.]26, 185.181.60[.]11) and exploit artifacts., Enhance logging and network segmentation for Oracle EBS environments., Review Mandiant's advisory for additional mitigation strategies.Immediately apply Oracle's emergency patch for CVE-2025-61882., Conduct forensic investigations to detect signs of prior exploitation., Monitor for IoCs, including the listed IP addresses (200.107.207[.]26, 185.181.60[.]11) and exploit artifacts., Enhance logging and network segmentation for Oracle EBS environments., Review Mandiant's advisory for additional mitigation strategies.Immediately apply Oracle's emergency patch for CVE-2025-61882., Conduct forensic investigations to detect signs of prior exploitation., Monitor for IoCs, including the listed IP addresses (200.107.207[.]26, 185.181.60[.]11) and exploit artifacts., Enhance logging and network segmentation for Oracle EBS environments., Review Mandiant's advisory for additional mitigation strategies.Immediately apply Oracle's emergency patch for CVE-2025-61882., Conduct forensic investigations to detect signs of prior exploitation., Monitor for IoCs, including the listed IP addresses (200.107.207[.]26, 185.181.60[.]11) and exploit artifacts., Enhance logging and network segmentation for Oracle EBS environments., Review Mandiant's advisory for additional mitigation strategies.Immediately apply Oracle's emergency patch for CVE-2025-61882., Conduct forensic investigations to detect signs of prior exploitation., Monitor for IoCs, including the listed IP addresses (200.107.207[.]26, 185.181.60[.]11) and exploit artifacts., Enhance logging and network segmentation for Oracle EBS environments., Review Mandiant's advisory for additional mitigation strategies.
Incident : Data Breach ORA4993249100625
Recommendations: Install Oracle's patch for CVE-2025-61882 immediately, Monitor systems for Indicators of Compromise (IoCs) provided by Oracle, Enhance security for executive personal data, Review third-party vulnerability disclosures for proactive patchingInstall Oracle's patch for CVE-2025-61882 immediately, Monitor systems for Indicators of Compromise (IoCs) provided by Oracle, Enhance security for executive personal data, Review third-party vulnerability disclosures for proactive patchingInstall Oracle's patch for CVE-2025-61882 immediately, Monitor systems for Indicators of Compromise (IoCs) provided by Oracle, Enhance security for executive personal data, Review third-party vulnerability disclosures for proactive patchingInstall Oracle's patch for CVE-2025-61882 immediately, Monitor systems for Indicators of Compromise (IoCs) provided by Oracle, Enhance security for executive personal data, Review third-party vulnerability disclosures for proactive patching
Incident : Data Theft ORA1692116100725
Recommendations: Immediately patch CVE-2025-61882 in Oracle E-Business Suite environments., Restrict internet exposure of EBS applications and enforce authentication controls., Monitor for signs of data exfiltration, especially via BI Publisher components., Prepare for extortion attempts if using Oracle EBS, given Clop’s history of targeting such vulnerabilities., Engage threat intelligence services (e.g., CrowdStrike, Mandiant) for proactive detection.Immediately patch CVE-2025-61882 in Oracle E-Business Suite environments., Restrict internet exposure of EBS applications and enforce authentication controls., Monitor for signs of data exfiltration, especially via BI Publisher components., Prepare for extortion attempts if using Oracle EBS, given Clop’s history of targeting such vulnerabilities., Engage threat intelligence services (e.g., CrowdStrike, Mandiant) for proactive detection.Immediately patch CVE-2025-61882 in Oracle E-Business Suite environments., Restrict internet exposure of EBS applications and enforce authentication controls., Monitor for signs of data exfiltration, especially via BI Publisher components., Prepare for extortion attempts if using Oracle EBS, given Clop’s history of targeting such vulnerabilities., Engage threat intelligence services (e.g., CrowdStrike, Mandiant) for proactive detection.Immediately patch CVE-2025-61882 in Oracle E-Business Suite environments., Restrict internet exposure of EBS applications and enforce authentication controls., Monitor for signs of data exfiltration, especially via BI Publisher components., Prepare for extortion attempts if using Oracle EBS, given Clop’s history of targeting such vulnerabilities., Engage threat intelligence services (e.g., CrowdStrike, Mandiant) for proactive detection.Immediately patch CVE-2025-61882 in Oracle E-Business Suite environments., Restrict internet exposure of EBS applications and enforce authentication controls., Monitor for signs of data exfiltration, especially via BI Publisher components., Prepare for extortion attempts if using Oracle EBS, given Clop’s history of targeting such vulnerabilities., Engage threat intelligence services (e.g., CrowdStrike, Mandiant) for proactive detection.
Incident : Data Breach ORA4202442101025
Recommendations: Immediately patch Oracle E-Business Suite to the latest version., Monitor networks for indicators of compromise (IoCs) provided by Google., Implement multi-factor authentication (MFA) for all critical systems., Conduct regular security audits for enterprise software., Educate employees about phishing and extortion email tactics.Immediately patch Oracle E-Business Suite to the latest version., Monitor networks for indicators of compromise (IoCs) provided by Google., Implement multi-factor authentication (MFA) for all critical systems., Conduct regular security audits for enterprise software., Educate employees about phishing and extortion email tactics.Immediately patch Oracle E-Business Suite to the latest version., Monitor networks for indicators of compromise (IoCs) provided by Google., Implement multi-factor authentication (MFA) for all critical systems., Conduct regular security audits for enterprise software., Educate employees about phishing and extortion email tactics.Immediately patch Oracle E-Business Suite to the latest version., Monitor networks for indicators of compromise (IoCs) provided by Google., Implement multi-factor authentication (MFA) for all critical systems., Conduct regular security audits for enterprise software., Educate employees about phishing and extortion email tactics.Immediately patch Oracle E-Business Suite to the latest version., Monitor networks for indicators of compromise (IoCs) provided by Google., Implement multi-factor authentication (MFA) for all critical systems., Conduct regular security audits for enterprise software., Educate employees about phishing and extortion email tactics.
Incident : Vulnerability Exploitation ORA0832608101425
Recommendations: Apply Oracle Security Alerts and Critical Patch Updates Immediately, Monitor for Signs of Exploitation (e.g., Unusual Database Activity, Extortion Emails), Implement Multi-Factor Authentication (MFA) for Oracle EBS, Review and Secure Default Password Reset Mechanisms, Segment Networks to Limit Lateral Movement, Engage Third-Party Threat Intelligence for Indicators of Compromise (IOCs)Apply Oracle Security Alerts and Critical Patch Updates Immediately, Monitor for Signs of Exploitation (e.g., Unusual Database Activity, Extortion Emails), Implement Multi-Factor Authentication (MFA) for Oracle EBS, Review and Secure Default Password Reset Mechanisms, Segment Networks to Limit Lateral Movement, Engage Third-Party Threat Intelligence for Indicators of Compromise (IOCs)Apply Oracle Security Alerts and Critical Patch Updates Immediately, Monitor for Signs of Exploitation (e.g., Unusual Database Activity, Extortion Emails), Implement Multi-Factor Authentication (MFA) for Oracle EBS, Review and Secure Default Password Reset Mechanisms, Segment Networks to Limit Lateral Movement, Engage Third-Party Threat Intelligence for Indicators of Compromise (IOCs)Apply Oracle Security Alerts and Critical Patch Updates Immediately, Monitor for Signs of Exploitation (e.g., Unusual Database Activity, Extortion Emails), Implement Multi-Factor Authentication (MFA) for Oracle EBS, Review and Secure Default Password Reset Mechanisms, Segment Networks to Limit Lateral Movement, Engage Third-Party Threat Intelligence for Indicators of Compromise (IOCs)Apply Oracle Security Alerts and Critical Patch Updates Immediately, Monitor for Signs of Exploitation (e.g., Unusual Database Activity, Extortion Emails), Implement Multi-Factor Authentication (MFA) for Oracle EBS, Review and Secure Default Password Reset Mechanisms, Segment Networks to Limit Lateral Movement, Engage Third-Party Threat Intelligence for Indicators of Compromise (IOCs)Apply Oracle Security Alerts and Critical Patch Updates Immediately, Monitor for Signs of Exploitation (e.g., Unusual Database Activity, Extortion Emails), Implement Multi-Factor Authentication (MFA) for Oracle EBS, Review and Secure Default Password Reset Mechanisms, Segment Networks to Limit Lateral Movement, Engage Third-Party Threat Intelligence for Indicators of Compromise (IOCs)
Incident : Ransomware Attack ORA5233252112125
Recommendations: Immediate patching of CVE-2025-61882 for Oracle EBS versions 12.2.3–12.2.14, Monitor for indicators of compromise (IOCs) linked to Clop’s infrastructure (e.g., 96 IPs, support@pubstorm[.]com), Enhance authentication mechanisms for OA_HTML endpoints, Segment networks to limit lateral movement, Implement behavioral analysis for XSLT injection attemptsImmediate patching of CVE-2025-61882 for Oracle EBS versions 12.2.3–12.2.14, Monitor for indicators of compromise (IOCs) linked to Clop’s infrastructure (e.g., 96 IPs, support@pubstorm[.]com), Enhance authentication mechanisms for OA_HTML endpoints, Segment networks to limit lateral movement, Implement behavioral analysis for XSLT injection attemptsImmediate patching of CVE-2025-61882 for Oracle EBS versions 12.2.3–12.2.14, Monitor for indicators of compromise (IOCs) linked to Clop’s infrastructure (e.g., 96 IPs, support@pubstorm[.]com), Enhance authentication mechanisms for OA_HTML endpoints, Segment networks to limit lateral movement, Implement behavioral analysis for XSLT injection attemptsImmediate patching of CVE-2025-61882 for Oracle EBS versions 12.2.3–12.2.14, Monitor for indicators of compromise (IOCs) linked to Clop’s infrastructure (e.g., 96 IPs, support@pubstorm[.]com), Enhance authentication mechanisms for OA_HTML endpoints, Segment networks to limit lateral movement, Implement behavioral analysis for XSLT injection attemptsImmediate patching of CVE-2025-61882 for Oracle EBS versions 12.2.3–12.2.14, Monitor for indicators of compromise (IOCs) linked to Clop’s infrastructure (e.g., 96 IPs, support@pubstorm[.]com), Enhance authentication mechanisms for OA_HTML endpoints, Segment networks to limit lateral movement, Implement behavioral analysis for XSLT injection attempts
Incident : Data Breach ORA1766435444
Recommendations: Sign up for free IDX identity theft protection services, Monitor financial statements for suspicious activity, Request a fraud alert or credit report from major credit bureaus, Seek legal help to understand rights and pursue compensationSign up for free IDX identity theft protection services, Monitor financial statements for suspicious activity, Request a fraud alert or credit report from major credit bureaus, Seek legal help to understand rights and pursue compensationSign up for free IDX identity theft protection services, Monitor financial statements for suspicious activity, Request a fraud alert or credit report from major credit bureaus, Seek legal help to understand rights and pursue compensationSign up for free IDX identity theft protection services, Monitor financial statements for suspicious activity, Request a fraud alert or credit report from major credit bureaus, Seek legal help to understand rights and pursue compensation
Incident : Vulnerability Exploitation ORA1768994894
Recommendations: Apply patches from Oracle's Critical Patch Update (CPU) and restrict network access to affected HTTP ports if immediate patching is not possible.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Malvertising is an effective initial access vector for targeted phishing campaigns.,MFA bypass techniques (e.g., real-time OTP capture) undermine traditional authentication methods.,Typosquatted domains and convincing phishing pages can evade user scrutiny.,Russian-speaking threat actors continue to leverage proxy infrastructure for anonymity.,Hospitality industry is a high-value target due to sensitive guest data and payment systems.Zero-day vulnerabilities in widely used enterprise software like Oracle E-Business Suite can lead to rapid, high-impact exploitation by multiple threat actors. Organizations must prioritize patch management and assume breach scenarios even after patching, given the likelihood of prior compromise during mass exploitation campaigns.Zero-day vulnerabilities in enterprise software like Oracle EBS are high-value targets for ransomware groups.,Public PoC disclosures accelerate exploitation by multiple threat actors.,Proactive patching and exposure management are critical for mitigating RCE risks.Zero-day vulnerabilities in widely used enterprise software can lead to large-scale data breaches. Proactive patch management and monitoring for unusual network activity are critical. Vendors must ensure transparent communication during ongoing incidents to avoid misinformation.Critical Importance of Timely Patching for Public-Facing Applications,Risks of Zero-Day Exploitation in Enterprise Software,Need for Enhanced Monitoring of Oracle EBS Instances,Potential for Mass Extortion Campaigns Leveraging Stolen CredentialsRansomware has evolved into a systemic risk with cascading impacts on supply chains, critical services, and industries. Initial access often relies on stolen credentials or social engineering, and supply chain vulnerabilities amplify the impact. Data theft and operational paralysis are primary damage drivers, with delayed consequences such as regulatory penalties or human harm.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Apply patches from Oracle's Critical Patch Update (CPU) and restrict network access to affected HTTP ports if immediate patching is not possible., Enhance logging and network segmentation for Oracle EBS environments., Immediately patch Oracle E-Business Suite to the latest version., Segment Networks to Limit Lateral Movement, Engage Third-Party Threat Intelligence for Indicators of Compromise (IOCs), Assess potential links to FIN11/Clop ransomware activity, Investigate Oracle E-Business Suite environments for unusual access or compromise, Implement Multi-Factor Authentication (MFA) for Oracle EBS, Monitor for IoCs, including the listed IP addresses (200.107.207[.]26, 185.181.60[.]11) and exploit artifacts., Conduct regular security audits for enterprise software., Immediately apply Oracle's emergency patch for CVE-2025-61882., Conduct forensic investigations to detect signs of prior exploitation., Monitor networks for indicators of compromise (IoCs) provided by Google., Review and Secure Default Password Reset Mechanisms, Monitor for high-volume extortion email campaigns from compromised accounts, Monitor for Signs of Exploitation (e.g., Unusual Database Activity, Extortion Emails), Apply Oracle Security Alerts and Critical Patch Updates Immediately, Educate employees about phishing and extortion email tactics., Review Mandiant's advisory for additional mitigation strategies. and Implement multi-factor authentication (MFA) for all critical systems..
References
Where can I find more information about each incident ?
Incident : Data Breach ORA656040225
Source: Cyber Incident Description
Incident : Data Breach ORA720082025
Source: California Office of the Attorney General
Incident : phishing ORA805090225
Source: Okta Threat Intelligence (contributor: Moussa Diallo)
Incident : Extortion ORA4062140100225
Source: BleepingComputer
Incident : Extortion ORA4062140100225
Source: Mandiant (Google Cloud) & GTIG Analysis
Incident : Extortion ORA4062140100225
Source: U.S. State Department Rewards for Justice Program (Clop)
Incident : Data Breach ORA1092210100225
Source: CISA Advisory (January 2023 Oracle Incident)
Incident : Data Breach ORA1092210100225
Source: Emsisoft (MOVEit Impact Report)
Incident : Data Breach ORA5662156100625
Source: Mandiant (Google Cloud) Alert on Cl0p Campaign
Date Accessed: 2025-08
Incident : Data Breach ORA5662156100625
Source: LinkedIn Post by Charles Carmakal (Mandiant CTO)
Date Accessed: 2025-08
Incident : Data Breach ORA4993249100625
Source: Oracle Security Advisory (Rob Duhart, CSO)
Date Accessed: 2025-10-02
Incident : Data Breach ORA4993249100625
Source: Google Mandiant (Charles Carmakal, CTO) - LinkedIn Post
Date Accessed: 2025-10-02
Incident : Data Theft ORA1692116100725
Source: Oracle Security Alert (CVE-2025-61882)
Date Accessed: 2025-10-05
Incident : Data Theft ORA1692116100725
Source: watchTowr Labs (PoC Analysis)
Date Accessed: 2025-05-01
Incident : Data Theft ORA1692116100725
Source: U.S. State Department Reward Program
Incident : Data Breach ORA4202442101025
Source: TechCrunch
URL: https://techcrunch.com/2023/10/05/google-clop-oracle-zero-day-hack/
Date Accessed: 2023-10-05
Incident : Data Breach ORA4202442101025
Source: Google Blog Post
URL: https://blog.google/threat-analysis-group/clop-oracle-zero-day/
Date Accessed: 2023-10-05
Incident : Data Breach ORA4202442101025
Source: Oracle Security Advisory
URL: https://www.oracle.com/security-alerts/
Date Accessed: 2023-10-05
Incident : Vulnerability Exploitation ORA0832608101425
Source: SecurityAffairs
URL: https://securityaffairs.co/wordpress/150000/hacking/oracle-ebs-flaw-cve-2025-61884.html
Date Accessed: 2025-10-14
Incident : Vulnerability Exploitation ORA0832608101425
Source: Oracle Security Alert Advisory
Date Accessed: 2025-10-14
Incident : Vulnerability Exploitation ORA0832608101425
Source: Google Threat Intelligence & Mandiant Analysis
Date Accessed: 2025-10-03
Incident : Vulnerability Exploitation ORA0832608101425
Source: CrowdStrike Report on CVE-2025-61882 Exploitation
Date Accessed: 2025-10-03
Incident : Ransomware ORA4332743112125
Source: THE RAVEN FILE Security Researchers
Incident : Ransomware ORA4332743112125
Source: Clop Ransomware Dark Web Leak Site
Incident : Ransomware ORA4332743112125
Source: Oracle Security Alert (October 2025)
Incident : Ransomware Attack ORA5233252112125
Source: THE RAVEN FILE (Security Research)
Incident : Ransomware Attack ORA5233252112125
Source: Clop Dark Web Leak Site
Incident : Ransomware Attack ORA5233252112125
Source: Oracle Security Advisory (CVE-2025-61882)
Incident : Data Breach ORAPAR1766015901
Source: Attorney General of the Commonwealth of Massachusetts
Incident : Data Breach, Ransomware PRIORAUNI1766419165
Source: BleepingComputer
Incident : Data Breach, Ransomware PRIORAUNI1766419165
Source: University of Phoenix Official Website
Incident : Data Breach, Ransomware PRIORAUNI1766419165
Source: SEC Filing (8-K)
Incident : Data Breach ORA1766435444
Source: Shamis & Gentile P.A.
Incident : Vulnerability Exploitation ORA1768994894
Source: Oracle Critical Patch Update (CPU)
Incident : Ransomware THEINGSALJAGORASYNDAV1769095448
Source: SOCRadar analysis
Incident : Ransomware THEINGSALJAGORASYNDAV1769095448
Source: Cybersecurity Ventures
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Cyber Incident Description, and Source: California Office of the Attorney General, and Source: Okta Threat Intelligence (contributor: Moussa Diallo), and Source: BleepingComputer, and Source: Mandiant (Google Cloud) & GTIG Analysis, and Source: U.S. State Department Rewards for Justice Program (Clop)Url: https://www.state.gov/rewards-for-justice-program/, and Source: Recorded Future NewsDate Accessed: 2023-10-04, and Source: Mandiant/GTIG WarningDate Accessed: 2023-10-04, and Source: CISA Advisory (January 2023 Oracle Incident)Url: https://www.cisa.gov/, and Source: Emsisoft (MOVEit Impact Report), and Source: Oracle Security AdvisoryDate Accessed: 2025-08, and Source: Mandiant (Google Cloud) Alert on Cl0p CampaignDate Accessed: 2025-08, and Source: LinkedIn Post by Charles Carmakal (Mandiant CTO)Date Accessed: 2025-08, and Source: Oracle Security Advisory (Rob Duhart, CSO)Date Accessed: 2025-10-02, and Source: Google Mandiant (Charles Carmakal, CTO) - LinkedIn PostDate Accessed: 2025-10-02, and Source: CrowdStrike BlogDate Accessed: 2025-10-07, and Source: BleepingComputer ArticleDate Accessed: 2025-10-06, and Source: Oracle Security Alert (CVE-2025-61882)Date Accessed: 2025-10-05, and Source: watchTowr Labs (PoC Analysis)Date Accessed: 2025-05-01, and Source: U.S. State Department Reward Program, and Source: TechCrunchUrl: https://techcrunch.com/2023/10/05/google-clop-oracle-zero-day-hack/Date Accessed: 2023-10-05, and Source: Google Blog PostUrl: https://blog.google/threat-analysis-group/clop-oracle-zero-day/Date Accessed: 2023-10-05, and Source: Oracle Security AdvisoryUrl: https://www.oracle.com/security-alerts/Date Accessed: 2023-10-05, and Source: SecurityAffairsUrl: https://securityaffairs.co/wordpress/150000/hacking/oracle-ebs-flaw-cve-2025-61884.htmlDate Accessed: 2025-10-14, and Source: Oracle Security Alert AdvisoryDate Accessed: 2025-10-14, and Source: Google Threat Intelligence & Mandiant AnalysisDate Accessed: 2025-10-03, and Source: CrowdStrike Report on CVE-2025-61882 ExploitationDate Accessed: 2025-10-03, and Source: THE RAVEN FILE Security Researchers, and Source: Clop Ransomware Dark Web Leak Site, and Source: Oracle Security Alert (October 2025), and Source: THE RAVEN FILE (Security Research), and Source: Clop Dark Web Leak Site, and Source: Oracle Security Advisory (CVE-2025-61882), and Source: Attorney General of the Commonwealth of Massachusetts, and Source: BleepingComputer, and Source: University of Phoenix Official Website, and Source: SEC Filing (8-K), and Source: Shamis & Gentile P.A., and Source: Oracle Critical Patch Update (CPU), and Source: SOCRadar analysis, and Source: Cybersecurity Ventures.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Data Breach ORA344032125
Investigation Status: Ongoing
Incident : phishing ORA805090225
Investigation Status: ongoing (active campaign)
Incident : Extortion ORA4062140100225
Investigation Status: Ongoing (early stages, claims unsubstantiated)
Incident : Data Breach ORA1092210100225
Investigation Status: Ongoing (Early Stages)
Incident : Data Breach ORA5662156100625
Investigation Status: Ongoing (developing story)
Incident : Data Breach ORA4993249100625
Investigation Status: Ongoing (Google Mandiant involved in analysis)
Incident : Data Theft ORA1692116100725
Investigation Status: Ongoing (CrowdStrike, Mandiant, GTIG)
Incident : Data Breach ORA4202442101025
Investigation Status: Ongoing (Active Exploitation Confirmed)
Incident : Vulnerability Exploitation ORA0832608101425
Investigation Status: Ongoing (Google, Mandiant, and CrowdStrike Investigating Extent of Exploitation)
Incident : Ransomware ORA4332743112125
Investigation Status: Ongoing (infrastructure analysis links to prior MOVEit attacks)
Incident : Ransomware Attack ORA5233252112125
Investigation Status: Ongoing (Clop’s claims under verification; Oracle’s internal investigation likely)
Incident : Data Breach ORAPAR1766015901
Investigation Status: Completed
Incident : Data Breach, Ransomware PRIORAUNI1766419165
Investigation Status: Ongoing
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Customer Advisory, Criticized For Lack Of Transparency, Private letters to customers, Outright Denial, Potentially Misleading Statements, Accusations Of Deleting Evidence Online, Customer Advisories About Impersonation Attempts, Industry-Wide Alerts, Public Warning Via Cybersecurity Firms (Mandiant, Gtig), Media Outreach (Recorded Future News), Public Advisory, Linkedin Post By Oracle Cso, Mandiant Technical Alert, Public Security Advisory By Oracle Cso Rob Duhart, Linkedin Post By Google Mandiant Cto Charles Carmakal, Oracle Customer Advisory, Public Disclosure Of Poc Risks, Public Advisory By Oracle, Blog Post By Google, Media Statements, Public Security Advisories, Direct Customer Notifications, Data breach notification letters mailed to impacted individuals, Public disclosure on official website, SEC filing, notification letters to affected individuals, Written notice to affected individuals on Dec. 22 and 2025.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Data Breach ORA392622
Customer Advisories: Oracle urged Micros customers to change their passwords and any passwords used by Micros representatives to access their on-premise systems.
Incident : Data Breach ORA455040125
Customer Advisories: Private letters to customers
Incident : phishing ORA805090225
Stakeholder Advisories: Warn Customers About Impersonation Attempts, Share Indicators Of Compromise (Iocs) With Industry Peers.
Customer Advisories: avoid clicking on sponsored search ads for hospitality servicesverify URLs before entering credentialsreport suspicious login pages
Incident : Extortion ORA4062140100225
Customer Advisories: Recommended: Investigate Oracle E-Business Suite for compromise
Incident : Data Breach ORA1092210100225
Stakeholder Advisories: Mandiant/Gtig Warning To Corporate Executives.
Incident : Data Breach ORA5662156100625
Stakeholder Advisories: Oracle and Mandiant have issued public advisories urging immediate action.
Customer Advisories: Customers advised to patch and investigate potential compromise.
Incident : Data Breach ORA4993249100625
Stakeholder Advisories: Oracle Customers Urged To Patch Immediately, Executives Warned About Extortion Emails.
Customer Advisories: Patch installation guidanceIoCs for detecting compromise
Incident : Data Theft ORA1692116100725
Stakeholder Advisories: Oracle Urgent Patching Advisory, Crowdstrike Threat Assessment.
Customer Advisories: Extortion Emails from Clop to Executives
Incident : Data Breach ORA4202442101025
Stakeholder Advisories: Oracle and Google have issued advisories with technical details for detection and mitigation.
Customer Advisories: Organizations using Oracle E-Business Suite advised to apply patches and monitor for suspicious activity.
Incident : Vulnerability Exploitation ORA0832608101425
Stakeholder Advisories: Oracle Customers Urged To Patch Immediately, Executives Warned About Extortion Emails.
Customer Advisories: Apply Emergency Patches for CVE-2025-61884 and CVE-2025-61882Monitor for Suspicious Activity
Incident : Ransomware Attack ORA5233252112125
Customer Advisories: Extortion emails sent to victims via support@pubstorm[.]com
Incident : Data Breach ORAPAR1766015901
Customer Advisories: 24 months of complimentary credit monitoring services provided to affected individuals
Incident : Data Breach, Ransomware PRIORAUNI1766419165
Stakeholder Advisories: Notification letters mailed to affected individuals, public disclosure on website
Customer Advisories: Free identity protection services offered (credit monitoring, identity theft recovery, dark web monitoring, $1 million fraud reimbursement policy)
Incident : Data Breach ORA1766435444
Customer Advisories: Affected individuals notified via written notice on Dec. 22, 2025
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Oracle urged Micros customers to change their passwords and any passwords used by Micros representatives to access their on-premise systems., Private letters to customers, Warn Customers About Impersonation Attempts, Share Indicators Of Compromise (Iocs) With Industry Peers, Avoid Clicking On Sponsored Search Ads For Hospitality Services, Verify Urls Before Entering Credentials, Report Suspicious Login Pages, , Recommended: Investigate Oracle E-Business Suite for compromise, Mandiant/Gtig Warning To Corporate Executives, Oracle and Mandiant have issued public advisories urging immediate action., Customers advised to patch and investigate potential compromise., Oracle Customers Urged To Patch Immediately, Executives Warned About Extortion Emails, Patch Installation Guidance, Iocs For Detecting Compromise, , Oracle Urgent Patching Advisory, Crowdstrike Threat Assessment, Extortion Emails From Clop To Executives, , Oracle and Google have issued advisories with technical details for detection and mitigation., Organizations using Oracle E-Business Suite advised to apply patches and monitor for suspicious activity., Oracle Customers Urged To Patch Immediately, Executives Warned About Extortion Emails, Apply Emergency Patches For Cve-2025-61884 And Cve-2025-61882, Monitor For Suspicious Activity, , Extortion Emails Sent To Victims Via Support@Pubstorm[.]Com, , 24 months of complimentary credit monitoring services provided to affected individuals, Notification letters mailed to affected individuals, public disclosure on website, Free identity protection services offered (credit monitoring, identity theft recovery, dark web monitoring, $1 million fraud reimbursement policy), Affected individuals notified via written notice on Dec. 22 and 2025.
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Data Breach ORA615032225
Entry Point: CVE-2021-35587
Incident : phishing ORA805090225
Entry Point: Malvertising (Malicious Search Engine Ads), Typosquatted Domains,
High Value Targets: Cloud-Based Property Management Systems, Guest Messaging Platforms, Payment Processing Systems,
Data Sold on Dark Web: Cloud-Based Property Management Systems, Guest Messaging Platforms, Payment Processing Systems,
Incident : Extortion ORA4062140100225
Entry Point: Compromised Email Accounts
High Value Targets: Executives at multiple companies
Data Sold on Dark Web: Executives at multiple companies
Incident : Data Breach ORA1092210100225
Entry Point: Compromised Email Accounts, Potential Exploitation Of Oracle E-Business Suite Vulnerabilities,
High Value Targets: Corporate Executives, Finance/Hr/Supply Chain Data,
Data Sold on Dark Web: Corporate Executives, Finance/Hr/Supply Chain Data,
Incident : Data Breach ORA5662156100625
Entry Point: Oracle E-Business Suite Concurrent Processing Component (via HTTP)
High Value Targets: Enterprise data within Oracle EBS environments
Data Sold on Dark Web: Enterprise data within Oracle EBS environments
Incident : Data Breach ORA4993249100625
Entry Point: CVE-2025-61882 (Oracle E-Business Suite zero-day)
Reconnaissance Period: Likely conducted prior to August 2025 (exploitation began in August)
High Value Targets: Corporate Executives' Personal Data,
Data Sold on Dark Web: Corporate Executives' Personal Data,
Incident : Data Theft ORA1692116100725
Entry Point: Cve-2025-61882 (Oracle Ebs Bi Publisher),
Reconnaissance Period: ['Potentially since early August 2025 (zero-day exploitation)']
High Value Targets: Sensitive Corporate Documents,
Data Sold on Dark Web: Sensitive Corporate Documents,
Incident : Data Breach ORA4202442101025
Entry Point: Zero-Day Vulnerability in Oracle E-Business Suite (Network-Based, No Authentication Required)
Reconnaissance Period: Since at least 2023-07-10
High Value Targets: Corporate Executives, Hr And Customer Data,
Data Sold on Dark Web: Corporate Executives, Hr And Customer Data,
Incident : Vulnerability Exploitation ORA0832608101425
Entry Point: Exploitation Of Oracle Ebs Vulnerabilities (Cve-2025-61882, Cve-2025-61884), Hacked User Emails, Default Password Reset Mechanisms,
Reconnaissance Period: Potentially Began on 2025-07-10 (Prior to July Patches)
High Value Targets: Company Executives (Extortion Emails), Oracle Ebs Databases,
Data Sold on Dark Web: Company Executives (Extortion Emails), Oracle Ebs Databases,
Incident : Ransomware ORA4332743112125
Entry Point: OA_HTML/SyncServlet (Authentication Bypass) & OA_HTML/RF.jsp (XSLT Injection)
Reconnaissance Period: Observed as early as June 2025, active exploitation from August 2025
High Value Targets: Oracle E-Business Suite Erp Data, Financial Records, Personal Records,
Data Sold on Dark Web: Oracle E-Business Suite Erp Data, Financial Records, Personal Records,
Incident : Ransomware Attack ORA5233252112125
Entry Point: Oracle E-Business Suite (Ebs) Syncservlet Endpoint,
Reconnaissance Period: Likely conducted prior to August 2025 (exploitation start date)
High Value Targets: Erp Data (Order Management, Procurement, Logistics), Customer Databases,
Data Sold on Dark Web: Erp Data (Order Management, Procurement, Logistics), Customer Databases,
Incident : Data Breach, Ransomware PRIORAUNI1766419165
Entry Point: Oracle E-Business Suite (EBS) zero-day vulnerability (CVE-2025-61882)
Incident : Ransomware THEINGSALJAGORASYNDAV1769095448
Entry Point: Stolen Credentials, Social Engineering,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Data Breach ORA615032225
Root Causes: Vulnerable software version, compromised subdomain
Incident : phishing ORA805090225
Root Causes: Over-Reliance On Traditional Mfa Methods Vulnerable To Real-Time Phishing., Lack Of Visibility Into Malvertising Campaigns Targeting Brand Impersonation., Insufficient Monitoring For Typosquatted Domains And Beaconing Activity.,
Corrective Actions: Replace Sms/Email-Based Mfa With Phishing-Resistant Alternatives., Proactively Register Defensive Domains To Prevent Typosquatting., Enhance Threat Intelligence Sharing Within The Hospitality Sector., Deploy Solutions To Detect And Block Malicious Ads In Search Results.,
Incident : Data Breach ORA5662156100625
Root Causes: Zero-Day Vulnerability (Cve-2025-61882) In Oracle E-Business Suite., Lack Of Authentication Requirements For Exploitation., High-Volume Email Campaign Leveraging Compromised Accounts (Per Mandiant).,
Corrective Actions: Emergency Patch Release By Oracle., Public Disclosure And Customer Advisories., Collaboration With Mandiant For Threat Intelligence Sharing.,
Incident : Data Breach ORA4993249100625
Root Causes: Zero-Day Vulnerability (Cve-2025-61882) In Oracle E-Business Suite, Insufficient Proactive Patching For Prior Vulnerabilities (July 2025 Patches Bypassed),
Corrective Actions: Patch Deployment, Customer Advisory For Ioc Monitoring,
Incident : Data Theft ORA1692116100725
Root Causes: Unpatched Oracle Ebs Vulnerability (Cve-2025-61882), Internet-Exposed Ebs Applications Without Authentication Safeguards, Delayed Patching Despite Active Exploitation,
Corrective Actions: Apply Oracle’S Security Patch For Cve-2025-61882., Implement Network Segmentation For Ebs Environments., Deploy Behavioral Detection For Rce Attempts (E.G., Crowdstrike Falcon)., Conduct Threat Hunting For Signs Of Clop Or Graceful Spider Activity.,
Incident : Data Breach ORA4202442101025
Root Causes: Unpatched Zero-Day Vulnerability In Oracle E-Business Suite, Inadequate Initial Response By Oracle (Premature Claim Of Patch Effectiveness), Lack Of Network Segmentation Or Access Controls To Limit Exploitation,
Corrective Actions: Oracle Released Emergency Patches And Advisories, Google Shared Detection Indicators For Affected Organizations, Recommended Enhanced Monitoring For Extortion Emails And Unusual Data Access,
Incident : Vulnerability Exploitation ORA0832608101425
Root Causes: Unpatched Vulnerabilities In Oracle E-Business Suite, Lack Of Authentication For Remote Exploitation, Potential Weaknesses In Default Password Reset Mechanisms, Delayed Patch Deployment By Some Customers,
Corrective Actions: Oracle Released Out-Of-Band Patches, Customers Advised To Apply Patches And Monitor Systems, Enhanced Threat Intelligence Sharing (E.G., Poc Disclosure As Ioc),
Incident : Ransomware ORA4332743112125
Root Causes: Zero-Day Exploit (Cve-2025-61882), Delayed Patch Release (Exploited For Months Pre-Patch), Reused Attack Infrastructure From Moveit (Cve-2023-34362),
Corrective Actions: Patch Deployment (October 2025), Infrastructure Monitoring For 96 Linked Ips (41 Subnets Reused From Moveit),
Incident : Ransomware Attack ORA5233252112125
Root Causes: Unpatched Zero-Day Vulnerability (Cve-2025-61882) In Oracle Ebs, Lack Of Pre-Authentication Protections For Syncservlet Endpoint, Reuse Of Attack Infrastructure From Prior Campaigns (E.G., Moveit Cve-2023-34362),
Incident : Data Breach, Ransomware PRIORAUNI1766419165
Root Causes: Exploitation of zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61882)
Incident : Vulnerability Exploitation ORA1768994894
Root Causes: Flaw in how WebLogic Server Proxy Plug-ins process incoming requests
Corrective Actions: Patches released, network access restrictions recommended
Incident : Ransomware THEINGSALJAGORASYNDAV1769095448
Root Causes: Supply Chain Vulnerabilities, Stolen Credentials, Social Engineering, It-Ot Convergence Risks,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Okta Threat Intelligence (Analysis By Moussa Diallo), , Real-Time Tracking Of Typosquatted Domains, Beaconing Detection, , Mandiant (Google Cloud), Gtig, , Recommended (for unusual access), Mandiant (Google Cloud), Google Threat Intelligence Group (Gtig), , Mandiant (Google Cloud), , Recommended for customers to detect prior compromise, Google Mandiant (Investigation And Advisory), , Crowdstrike (Detection And Analysis), Mandiant (Investigation), Google Threat Intelligence Group (Gtig), , Recommended For Oracle Ebs Environments, , Google Security Researchers, , Recommended (Google Provided Indicators for Detection), Google Threat Intelligence, Mandiant, Crowdstrike, , Recommended (Oracle Advised Customers to Monitor for Exploitation Attempts), Security Researchers (The Raven File), .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Replace Sms/Email-Based Mfa With Phishing-Resistant Alternatives., Proactively Register Defensive Domains To Prevent Typosquatting., Enhance Threat Intelligence Sharing Within The Hospitality Sector., Deploy Solutions To Detect And Block Malicious Ads In Search Results., , Emergency Patch Release By Oracle., Public Disclosure And Customer Advisories., Collaboration With Mandiant For Threat Intelligence Sharing., , Patch Deployment, Customer Advisory For Ioc Monitoring, , Apply Oracle’S Security Patch For Cve-2025-61882., Implement Network Segmentation For Ebs Environments., Deploy Behavioral Detection For Rce Attempts (E.G., Crowdstrike Falcon)., Conduct Threat Hunting For Signs Of Clop Or Graceful Spider Activity., , Oracle Released Emergency Patches And Advisories, Google Shared Detection Indicators For Affected Organizations, Recommended Enhanced Monitoring For Extortion Emails And Unusual Data Access, , Oracle Released Out-Of-Band Patches, Customers Advised To Apply Patches And Monitor Systems, Enhanced Threat Intelligence Sharing (E.G., Poc Disclosure As Ioc), , Patch Deployment (October 2025), Infrastructure Monitoring For 96 Linked Ips (41 Subnets Reused From Moveit), , Patches released, network access restrictions recommended.
Additional Questions
General Information
What was the amount of the last ransom demanded ?
Last Ransom Demanded: The amount of the last ransom demanded was Yes (extortion emails sent to executives).
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an Russian Cybercrime Group, rose87168, 'rose87168', rose87168, Unauthorized Individual, Russian-speaking cybercriminalsunknown APT/group (potential initial access brokers), FIN11 (suspected)Clop Ransomware Gang (potential link), Clop (FIN11)Potentially Impersonating Clop, Cl0p Ransomware GroupScattered LAPSUS$ Hunters, Clop (hacking group linked to ransomware and extortion), Clop Ransomware GangGRACEFUL SPIDER (moderate confidence), Clop Ransomware/Extortion Gang, Cl0p Ransomware Group (Graceful Spider)FIN11Potential involvement of Scattered Spider, Slippy Spider (Lapsus$), ShinyHunters, Clop Ransomware Gang (Graceful Spider), Name: ['Clop Ransomware Gang', 'Graceful Spider']Origin: Russian-linkedConfirmed Victims: 1025Ransom Extracted: $500 million (since 2019)Associated Infrastructure: {'ip_addresses': 96, 'reused_ips_from_moveit': 41, 'geographic_distribution': [{'country': 'Germany', 'ip_count': 16}, {'country': 'Brazil', 'ip_count': 13}, {'country': 'Panama', 'ip_count': 12}], 'service_providers': ['Russian-based']}, Unauthorized third party, Clop ransomware gang and CL0P ransomware group.
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2013-07-10.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025.
Impact of the Incidents
What was the highest financial loss from an incident ?
Highest Financial Loss: The highest financial loss from an incident was $275 billion annually by 2031 (projected global cost).
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Credit Card Payment Information, , SSO passwords, Java Keystore files, Key files, JPS keys, , JKS files, Encrypted SSO passwords, Key files, JPS keys, , Electronic Health Records (EHR), , Personal Information, usernames, email addresses, hashed passwords, SSO credentials, LDAP credentials, JKS files, Enterprise Manager JPS keys, , Names, Social Security Numbers, , guest personal information, payment data, booking system credentials, operational data, , Potentially Finance, HR, and Supply Chain Data (Oracle E-Business Suite), , Large amounts of data (exact scope undisclosed), Personal information of corporate executives, Customer data, Employee HR files, , Sensitive Documents, Potentially PII or Corporate Data, , Corporate Executive Data, Customer Data, Employee HR Files, Sensitive Corporate Data, , Sensitive Resources, Potential Oracle E-Business Suite Data (as claimed in extortion emails), , Financial Records, Personal Records, ERP Data, , Internal Corporate Data, Customer Information, Financial Records, Personal Data, , Sensitive personal identifiable information, 3,489,274 records, Sensitive personally identifiable information, Sensitive data and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was MICROS Point-of-Sale Systems and and Legacy Servers and legacy Cerner data migration servers and Login ServersLegacy Cerner Data and Gen 1 serverslegacy systems and cloud-based property management systemsguest messaging platformsauthentication systems and Oracle E-Business Suite (potential) and Oracle E-Business Suite and and Oracle E-Business Suite and Oracle E-Business Suite (EBS) with unpatched BI Publisher Integration and Oracle E-Business Suite and Oracle E-Business Suite (Versions 12.2.3–12.2.14)Runtime UI ComponentBI Publisher IntegrationConcurrent Processing Component and Oracle E-Business Suite (Versions 12.2.3–12.2.14)Internal Corporate Systems and Oracle E-Business Suite (EBS) ServersEnterprise Resource Planning (ERP) Systems and and and and and SaaS platformsIT distribution networksHealthcare infrastructureManufacturing OT systemsAviation systems.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was okta threat intelligence (analysis by moussa diallo), , mandiant (google cloud), gtig, , mandiant (google cloud), google threat intelligence group (gtig), , mandiant (google cloud), , google mandiant (investigation and advisory), , crowdstrike (detection and analysis), mandiant (investigation), google threat intelligence group (gtig), , google security researchers, , google threat intelligence, mandiant, crowdstrike, , security researchers (the raven file), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Password Change Recommendation, monitoring for suspicious domain registrationsblocking known malicious domains, Emergency Patch Release (CVE-2025-61882)Advisory for Customer Mitigation, Patch release (CVE-2025-61882)Indicators of Compromise (IoCs) shared with customers, Patching CVE-2025-61882Disabling Exposed EBS Components, Emergency Patching (CVE-2025-61884 & CVE-2025-61882)Urgent Advisory for Customers to Apply Updates and Restricted network access to affected HTTP ports.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Potential Oracle E-Business Suite Data (as claimed in extortion emails), usernames, Financial Records, Enterprise Manager JPS keys, Customer data, JKS files, Encrypted SSO passwords, Sensitive data, Key files, Personal Data, Employee HR Files, Sensitive personal identifiable information, Potentially PII or Corporate Data, Credit Card Payment Information, Personal information of corporate executives, payment data, hashed passwords, guest personal information, SSO credentials, booking system credentials, Sensitive Documents, email addresses, Employee HR files, LDAP credentials, Java Keystore files, Sensitive personally identifiable information, SSO passwords, Large amounts of data (exact scope undisclosed), Customer Information, Customer Data, Names, Social Security Numbers, JPS keys, operational data, Sensitive Resources, Sensitive Corporate Data, Corporate Executive Data, Internal Corporate Data, Electronic Health Records (EHR), Personal Information, ERP Data, 3,489,274 records, Personal Records, Potentially Finance, HR and and Supply Chain Data (Oracle E-Business Suite).
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 25.0M.
Ransomware Information
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Potential for Mass Extortion Campaigns Leveraging Stolen Credentials, Ransomware has evolved into a systemic risk with cascading impacts on supply chains, critical services, and industries. Initial access often relies on stolen credentials or social engineering, and supply chain vulnerabilities amplify the impact. Data theft and operational paralysis are primary damage drivers, with delayed consequences such as regulatory penalties or human harm.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Collaborate with threat intelligence providers (e.g., Okta) for IOCs., Apply patches from Oracle's Critical Patch Update (CPU) and restrict network access to affected HTTP ports if immediate patching is not possible., Enhance logging and network segmentation for Oracle EBS environments., Immediately patch Oracle E-Business Suite to the latest version., Enhance security for executive personal data, Segment Networks to Limit Lateral Movement, Educate employees and customers about malvertising and phishing risks., Deploy behavioral analytics to detect beaconing and tracking scripts., Engage Third-Party Threat Intelligence for Indicators of Compromise (IOCs), Assess potential links to FIN11/Clop ransomware activity, Adopt phishing-resistant authentication (e.g., passkeys, FIDO2 WebAuthn)., Investigate Oracle E-Business Suite environments for unusual access or compromise, Segment networks to limit lateral movement, Implement Multi-Factor Authentication (MFA) for Oracle EBS, Monitor for IoCs, including the listed IP addresses (200.107.207[.]26, 185.181.60[.]11) and exploit artifacts., Conduct regular security audits for enterprise software., Immediately apply Oracle's emergency patch for CVE-2025-61882., Monitor financial statements for suspicious activity, Implement adaptive risk assessments to detect anomalous access patterns., Monitor for suspicious domain registrations (e.g., typosquatting)., Conduct forensic investigations to detect signs of prior exploitation., Engage threat intelligence services (e.g., CrowdStrike, Mandiant) for proactive detection., Seek legal help to understand rights and pursue compensation, Request a fraud alert or credit report from major credit bureaus, Change Passwords, Monitor networks for indicators of compromise (IoCs) provided by Google., Review and Secure Default Password Reset Mechanisms, Monitor for high-volume extortion email campaigns from compromised accounts, Enhance Security Measures, Install Oracle's patch for CVE-2025-61882 immediately, Immediately patch CVE-2025-61882 in Oracle E-Business Suite environments., Monitor for Signs of Exploitation (e.g., Unusual Database Activity, Extortion Emails), Educate employees about phishing and extortion email tactics., Apply Oracle Security Alerts and Critical Patch Updates Immediately, Implement behavioral analysis for XSLT injection attempts, Immediate patching of CVE-2025-61882 for Oracle EBS versions 12.2.3–12.2.14, Review third-party vulnerability disclosures for proactive patching, Sign up for free IDX identity theft protection services, Restrict access to property management systems with zero-trust principles., Monitor for indicators of compromise (IOCs) linked to Clop’s infrastructure (e.g., 96 IPs, support@pubstorm[.]com), Monitor for signs of data exfiltration, especially via BI Publisher components., Review Mandiant's advisory for additional mitigation strategies., Prepare for extortion attempts if using Oracle EBS, given Clop’s history of targeting such vulnerabilities., Restrict internet exposure of EBS applications and enforce authentication controls., Implement multi-factor authentication (MFA) for all critical systems., Enhance authentication mechanisms for OA_HTML endpoints and Monitor systems for Indicators of Compromise (IoCs) provided by Oracle.
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are California Office of the Attorney General, Oracle Security Alert (CVE-2025-61882), Clop Dark Web Leak Site, watchTowr Labs (PoC Analysis), Cybersecurity Ventures, Google Blog Post, SEC Filing (8-K), SOCRadar analysis, Mandiant (Google Cloud) & GTIG Analysis, Shamis & Gentile P.A., U.S. State Department Rewards for Justice Program (Clop), THE RAVEN FILE Security Researchers, University of Phoenix Official Website, Mandiant/GTIG Warning, Cyber Incident Description, TechCrunch, CrowdStrike Report on CVE-2025-61882 Exploitation, Google Threat Intelligence & Mandiant Analysis, Emsisoft (MOVEit Impact Report), Oracle Security Advisory (CVE-2025-61882), Google Mandiant (Charles Carmakal, CTO) - LinkedIn Post, Oracle Security Alert Advisory, LinkedIn Post by Charles Carmakal (Mandiant CTO), Okta Threat Intelligence (contributor: Moussa Diallo), CISA Advisory (January 2023 Oracle Incident), BleepingComputer Article, Attorney General of the Commonwealth of Massachusetts, Oracle Critical Patch Update (CPU), Recorded Future News, Oracle Security Advisory, SecurityAffairs, Oracle Security Advisory (Rob Duhart, CSO), Mandiant (Google Cloud) Alert on Cl0p Campaign, Oracle Security Alert (October 2025), CrowdStrike Blog, BleepingComputer, Clop Ransomware Dark Web Leak Site, U.S. State Department Reward Program and THE RAVEN FILE (Security Research).
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.state.gov/rewards-for-justice-program/, https://www.cisa.gov/, https://techcrunch.com/2023/10/05/google-clop-oracle-zero-day-hack/, https://blog.google/threat-analysis-group/clop-oracle-zero-day/, https://www.oracle.com/security-alerts/, https://securityaffairs.co/wordpress/150000/hacking/oracle-ebs-flaw-cve-2025-61884.html .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was warn customers about impersonation attempts, share indicators of compromise (IOCs) with industry peers, Mandiant/GTIG Warning to Corporate Executives, Oracle and Mandiant have issued public advisories urging immediate action., Oracle customers urged to patch immediately, Executives warned about extortion emails, Oracle Urgent Patching Advisory, CrowdStrike Threat Assessment, Oracle and Google have issued advisories with technical details for detection and mitigation., Oracle Customers Urged to Patch Immediately, Executives Warned About Extortion Emails, Notification letters mailed to affected individuals, public disclosure on website, .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Oracle urged Micros customers to change their passwords and any passwords used by Micros representatives to access their on-premise systems., Private letters to customers, avoid clicking on sponsored search ads for hospitality servicesverify URLs before entering credentialsreport suspicious login pages, Recommended: Investigate Oracle E-Business Suite for compromise, Customers advised to patch and investigate potential compromise., Patch installation guidanceIoCs for detecting compromise, Extortion Emails from Clop to Executives, Organizations using Oracle E-Business Suite advised to apply patches and monitor for suspicious activity., Apply Emergency Patches for CVE-2025-61884 and CVE-2025-61882Monitor for Suspicious Activity, Extortion emails sent to victims via support@pubstorm[.]com, 24 months of complimentary credit monitoring services provided to affected individuals, Free identity protection services offered (credit monitoring, identity theft recovery, dark web monitoring, $1 million fraud reimbursement policy), Affected individuals notified via written notice on Dec. 22 and 2025.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Zero-Day Vulnerability in Oracle E-Business Suite (Network-Based, No Authentication Required), OA_HTML/SyncServlet (Authentication Bypass) & OA_HTML/RF.jsp (XSLT Injection), Oracle E-Business Suite (EBS) zero-day vulnerability (CVE-2025-61882), CVE-2021-35587, CVE-2025-61882 (Oracle E-Business Suite zero-day), Oracle E-Business Suite Concurrent Processing Component (via HTTP) and Compromised Email Accounts.
What was the most recent reconnaissance period for an incident ?
Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Likely conducted prior to August 2025 (exploitation began in August), Potentially since early August 2025 (zero-day exploitation), Since at least 2023-07-10, Potentially Began on 2025-07-10 (Prior to July Patches), Observed as early as June 2025, active exploitation from August 2025, Likely conducted prior to August 2025 (exploitation start date).
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Vulnerable software version, compromised subdomain, Over-reliance on traditional MFA methods vulnerable to real-time phishing.Lack of visibility into malvertising campaigns targeting brand impersonation.Insufficient monitoring for typosquatted domains and beaconing activity., Zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite.Lack of authentication requirements for exploitation.High-volume email campaign leveraging compromised accounts (per Mandiant)., Zero-day vulnerability (CVE-2025-61882) in Oracle E-Business SuiteInsufficient proactive patching for prior vulnerabilities (July 2025 patches bypassed), Unpatched Oracle EBS vulnerability (CVE-2025-61882)Internet-exposed EBS applications without authentication safeguardsDelayed patching despite active exploitation, Unpatched Zero-Day Vulnerability in Oracle E-Business SuiteInadequate Initial Response by Oracle (Premature Claim of Patch Effectiveness)Lack of Network Segmentation or Access Controls to Limit Exploitation, Unpatched Vulnerabilities in Oracle E-Business SuiteLack of Authentication for Remote ExploitationPotential Weaknesses in Default Password Reset MechanismsDelayed Patch Deployment by Some Customers, Zero-Day Exploit (CVE-2025-61882)Delayed Patch Release (exploited for months pre-patch)Reused Attack Infrastructure from MOVEit (CVE-2023-34362), Unpatched zero-day vulnerability (CVE-2025-61882) in Oracle EBSLack of pre-authentication protections for SyncServlet endpointReuse of attack infrastructure from prior campaigns (e.g., MOVEit CVE-2023-34362), Exploitation of zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61882), Flaw in how WebLogic Server Proxy Plug-ins process incoming requests, Supply chain vulnerabilitiesStolen credentialsSocial engineeringIT-OT convergence risks.
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Replace SMS/email-based MFA with phishing-resistant alternatives.Proactively register defensive domains to prevent typosquatting.Enhance threat intelligence sharing within the hospitality sector.Deploy solutions to detect and block malicious ads in search results., Emergency patch release by Oracle.Public disclosure and customer advisories.Collaboration with Mandiant for threat intelligence sharing., Patch deploymentCustomer advisory for IoC monitoring, Apply Oracle’s security patch for CVE-2025-61882.Implement network segmentation for EBS environments.Deploy behavioral detection for RCE attempts (e.g., CrowdStrike Falcon).Conduct threat hunting for signs of Clop or GRACEFUL SPIDER activity., Oracle Released Emergency Patches and AdvisoriesGoogle Shared Detection Indicators for Affected OrganizationsRecommended Enhanced Monitoring for Extortion Emails and Unusual Data Access, Oracle Released Out-of-Band PatchesCustomers Advised to Apply Patches and Monitor SystemsEnhanced Threat Intelligence Sharing (e.g., POC Disclosure as IOC), Patch deployment (October 2025)Infrastructure monitoring for 96 linked IPs (41 subnets reused from MOVEit), Patches released, network access restrictions recommended.
.png)
Latest Global CVEs (Not Company-Specific)
Description
Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions 2.19.1 and below. The `username` value can be echoed back without proper contextual encoding when authentication fails. An attacker can execute script in the login page context. This issue has been fixed in version 2.19.2.
Risk Information
cvss3
Base: 5.4
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Description
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. The vulnerability occurs because the application improperly handles user-supplied data in the createResultElement method by using the unsafe innerHTML property to render domain search results.
Description
A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save process. This allows an unauthenticated attacker to upload arbitrary PHP code by spoofing the MIME type as an image, leading to full system compromise.
Description
A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at jailer startup, if the jailer is executed with root privileges. To mitigate this issue, users should upgrade to version v1.13.2 or 1.14.1 or above.
Risk Information
cvss3
Base: 6.0
Severity: LOW
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
cvss4
Base: 6.0
Severity: LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
Description
An information disclosure vulnerability exists in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend platform thru 2025-05-28. This unauthenticated endpoint returns a list of cashier accounts, including names, email addresses, usernames, and passwords hashed using MD5. As MD5 is a broken cryptographic function, the hashes can be easily reversed using public tools, exposing user credentials in plaintext. This allows remote attackers to perform unauthorized logins and potentially gain access to sensitive POS operations or backend functions.
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=oracle' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
