Oracle has advised customers that hackers may be exploiting vulnerabilities in unpatched instances of its E-Business Suite (EBS).
This follows a warning by the Google Threat Intelligence Group (GTIG) that an individual or group of hackers were sending extortion emails to executives in several companies, claiming to have stolen sensitive data from Oracle’s EBS.
Oracle is aware that some Oracle EBS customers have received extortion emails, Rob Duhart, Oracle Security’s CSO, confirmed in a statement published October 2.
“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update,” said Duhart, urging customers to apply the patches.
Nine Oracle E-Business Suite Flaws to Patch Now
Oracle’s July 2025 critical patch update was a major security advisory where the business software provider released patches for 309 vulnerabilities across its product range.
These included nine flaws affecting its E-Business Suite. Three are critical and three others are exploitable remotely without authentication.
Here is the full list, from most to least severe:
- CVE-2025-30743 (CVSS: 8.1): vulnerability in Oracle Lease and Finance Management, no remote exploit without authentication
- CVE-2025-30744 (CVSS: 8.1): vulnerability in Oracle Mobile Field Service, no remote exploit without authentication
- CVE-2025-50105 (CVSS: 8.1): vulnerability in Oracle Universal Work Queue, no remote exploit without authentication
- CVE-2025-50071 (CVSS: 6.4): vulnerability in Oracle Applications Framework, no remote exploit without authentication
- CVE-2025-30746 (CVSS: 6.1): vulnerability in Oracle iStore, possibility of remote exploit without authentication
- CVE-2025-30745 (CVSS: 6.1): vulnerability in Oracle MES for Process Manufacturing, possibility of remote exploit without authentication
- CVE-2025-50107 (CVSS: 6.1): vulnerability in Oracle Universal Work Queue, possibility of remote exploit without authentication
- CVE-2025-30739 (CVSS: 5.5): vulnerability in Oracle CRM Technical Foundation, no remote exploit without authentication
- CVE-2025-50090 (CVSS: 5.4): vulnerability in Oracle Applications Framework, no remote exploit without authentication
Google Probes Large-Scale Email Extortion Campaign
Researchers from Mandiant and GTIG contacted Infosecurity on October 2, saying they were investigating a large-scale email campaign linked to hundreds of compromised accounts.
Charles Carmakal, CTO of Mandiant at Google Cloud, noted that the campaign appears to be high-volume, with preliminary analysis tying at least one of the accounts to FIN11, a financially motivated threat group known for ransomware attacks and extortion schemes.
While the investigation is ongoing, the evidence so far suggests the attackers may be leveraging established cybercriminal infrastructure.
The malicious emails include contact details that match addresses listed on the Clop ransomware group’s data leak site (DLS), hinting at a possible connection to the notorious gang.
However, Carmakal cautioned that this does not confirm Clop’s direct involvement, only that the attackers are exploiting the group’s reputation to amplify pressure on victims.
Such tactics are common in financially driven cybercrime, where threat actors often impersonate or mimic well-known ransomware brands to enhance credibility and coercion.
Given the complexities of attribution in cybercrime, Carmakal emphasized that the campaign could be the work of copycats rather than Clop itself.
He advised affected organizations to proactively investigate their systems for signs of compromise, as the use of Clop’s branding may be a deliberate strategy to maximize intimidation.
Read more: Fraudsters Impersonate Clop Ransomware to Extort Businesses