Clop hackers demand $50M in Oracle EBS breach. Oracle confirms unpatched July 2025 flaws are the entry point. Patch now.

Continue reading
A notorious ransomware gang has launched a digital siege on corporate America, and the bullseye is on one of the world's most critical business platforms: Oracle E-Business Suite (EBS).
Forget vague threats—this is a high-stakes, personalized shakedown. The group, widely linked to the infamous Clop ransomware cartel, is sending direct extortion emails to C-level executives, claiming to have already stolen their most sensitive corporate data. The demand? In one confirmed case, a chilling $50 million.
The most alarming part? Oracle has confirmed the attack and directly links it to known security holes that they patched back in July 2025. This means every company that delayed this critical update is now exposed and actively in the crosshairs.
This isn't a sophisticated zero-day mystery. Oracle's Chief Security Officer, Rob Duhart, has publicly stated their investigation points to the "potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update."
The keys to the kingdom were left under the mat, and the burglars are now inside.
The July patch fixed a total of 309 vulnerabilities across Oracle's products. But for EBS users, these nine are your nightmare. Three of them are particularly dangerous because attackers can exploit them without needing a username or password.
| CVE ID | CVSS Score | Component | Remote Exploit? | Why It's Dangerous |
|---|---|---|---|---|
| CVE-2025-30746 | 6.1 | Oracle iStore | YES | Public-facing, no login required for attack. |
| CVE-2025-30745 | 6.1 | MES for Process Manufacturing | YES | Critical supply chain system exposed. |
| CVE-2025-50107 | 6.1 | Universal Work Queue |
Hacker's Playbook is Simple:
The emails are designed to trigger panic in the boardroom. They don't sound like a typical spammer; they sound like a ruthless business partner.
Security firm Mandiant has confirmed the infrastructure and email addresses used in this campaign are directly tied to the FIN11 group, a known affiliate of Clop, famous for its massive attacks on file-transfer tools like MOVEit.
If your company runs Oracle EBS, this is not a drill. Your action plan is straightforward but non-negotiable.
For thousands of organizations, applying a patch from three months ago is the only thing standing between them and a multi-million dollar shakedown. The time for action was yesterday. The next best time is right now.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.
| Core operational dashboard is vulnerable. |
| CVE-2025-30743 | 8.1 | Lease and Finance Management | No | High-severity flaw in financial data. |
| CVE-2025-30744 | 8.1 | Mobile Field Service | No | High-severity flaw in mobile operations. |