Oracle confirmed Oct. 2 that some of its E-Business Suite (EBS) customers have received extortion emails but did not directly tie the attacks to the Clop ransomware gang, which reportedly claimed responsibility for the cyber incident.Rob Duhart, chief security officer at Oracle, disclosed potential exploitation of vulnerabilities that were addressed in Oracle’s July 2025 critical patch updates and reiterated in his Oct. 2 statement that Oracle strongly recommend customers apply the latest patches immediately.Three of the nine flaws – CVE-2025-30745, CVE-2025-30746 and CVE-2025-50107 – are of medium severity and exploitable remotely without requiring user credentials.The Google Threat Intelligence Group (GTIG) on Oct. 2 also posted on LinkedIn that on or around Sept. 29, the threat actor Clop began sending extortion emails to executives at numerous organizations. The emails claim the actor had breached the recipients' Oracle E-Business Suite applications and stolen sensitive data."Organizations using EBS should immediately apply all July patches and use Oracle's checker to confirm they're protected,” said Damon Small, a board member at Xcape, Inc. “This campaign highlights how quickly attackers target newly-revealed vulnerabilities, especially in common enterprise systems. If organizations are not updating critical software immediately in the face of such vulnerabilities, they are doing it wrong.”Certis Foster, senior threat hunter lead at Deepwatch, explained that what matters most is the attackers aren't exploiting the CVEs directly: they abuse the default password reset function on the internet-facing Oracle EBS portals to gain valid credentials.Forster said there are reports of ransom demands up to $50 million, along with victims being shown screenshots as proof of this attack. While the extortion emails reportedly began around Sept. 29, reconnaissance activity and potential access likely started weeks earlier—most likely in the time frame between when Oracle communicated that patches were available in July and recently.“If these Oracle EBS applications must remain externally accessible, please ensure that IDP SSO and MFA are enforced to prevent exposure,” said Certis. “The attackers sent extortion emails from hundreds of compromised accounts, which leads me to believe that this campaign was in preparation for weeks. If you haven't received the frightful email, you might still be within the detection window to respond.”
Ransomware, Email security
Oracle confirms its E-Business Suite customers received extortion emails

(Credit: dennizn – stock.adobe.com)
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



