Oracle: Unpatched Vulnerabilities Behind E-Business Data Extortion Attacks

Following reports that the cybercriminal group Clop has been extorting E-Business Suite customers, Oracle linked the campaign to vulnerabilities addressed in July.

The data extortion campaign targeting Oracle E-Business Suite customers is connected to vulnerabilities addressed by the company in July, Oracle disclosed.

The disclosure from Oracle follows reports that the cybercriminal group Clop has been extorting E-Business Suite customers over the theft of potentially sensitive data.

[Related: 10 Major Cyberattacks And Data Breaches In 2025 (So Far)]

In a statement posted online Thursday, Oracle Chief Security Officer Rob Duhart said that the company is “aware that some Oracle E-Business Suite (EBS) customers have received extortion emails.”

Oracle’s “ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update,” Duhart said in the statement.

The statement does not provide further details, including whether the theft may have impacted sensitive data or specifics about the vulnerabilities exploited by attackers.

Duhart’s statement also does not mention Clop, which researchers at Google Cloud-owned Mandiant and the Google Threat Intelligence Group have linked to the “high-volume email campaign” targeting Oracle E-Business Suite customers.

The extortion emails have been sent to executives at a number of organizations, “claiming to have stolen sensitive data from their Oracle E-Business Suite,” according to a statement from Mandiant and Google provided to CRN Wednesday.

Mandiant and the Google Threat Intelligence Group are “actively tracking recent activity involving an actor claiming affiliation with the Clop extortion group,” said Charles Carmakal, CTO at Mandiant, in the statement.

The activity is believed to have begun earlier this week—on or before Monday, according to Genevieve Stark, head of cybercrime and information operations intelligence analysis at the Google Threat Intelligence Group.

Meanwhile, a report from BleepingComputer included a statement from Clop claiming involvement in the extortion campaign as well as a screenshot of an extortion email purporting to be from the threat group.

Clop previously claimed responsibility for a series of major data theft attacks, including widely felt attacks targeting MOVEit customers in 2023.

Oracle’s July 2025 Critical Patch Update included patches for nine vulnerabilities affecting E-Business Suite, none of which were rated as critical-severity issues.