Oracle Cloud Breach May Impact 140,000 Enterprise Customers

Severity

Critical

On 21 March 2025, security researchers from CloudSEK’s XVigil detected a cybercriminal operating under the alias “rose87168” offering 6 million records allegedly stolen from Oracle Cloud’s SSO and LDAP systems. The compromised data reportedly includes JKS files, encrypted single sign-on credentials, key files, and JPS keys used in Oracle’s enterprise management services.

This attacker is promoting assistance in decrypting the stolen data and is extorting payment to delete the information from over 140,000 impacted tenants. Interactions with the threat actor hint at the possibility of a previously unknown vulnerability in the login systems of Oracle Cloud, specifically on login.(region-name).oraclecloud.com, causing unauthorized access. Although “rose87168” has no known history, their tactics demonstrate considerable sophistication. CloudSEK has classified this threat as severe, with a high impact level.

How?

The cybercriminal asserted that they had successfully breached the subdomain login.us2.oraclecloud.com.. This specific subdomain has reportedly been disabled following the security incident. CloudSEK researchers identified a vulnerability Oracle Access Manager component of Oracle Fusion Middleware.

The threat actor claimed to have exploited a vulnerable version of Oracle Cloud servers. This vulnerability, linked to a public CVE, CVE-2021-35587, currently has no publicly available proof-of-concept or exploit. According to CloudSEK, the threat actor exploited this vulnerability, potentially aided by inadequate patch management and insecure coding practices.

This flaw allows an attacker without authentication, but with network access via HTTP, to breach Oracle Access Manager (OAM). Successful exploitation could enable full control over OAM. The leaked samples shared on Breachforums appear consistent with this attack.

CloudSEK has also verified that the endpoint in question was a legitimate Oracle Cloud production asset, and some of the domains posted by the threat actor do belong to actual oracle cloud customers. CloudSEK has also found an archived public GitHub repository that belongs to Oracle’s official organization.

Affected Product

The vulnerability impacts Oracle Access Manager (OpenSSO Agent) versions:

11.1.2.3.0
12.2.1.3.0
12.2.1.4.0

Impact

Mass Data Exposure
Credential Compromise
Extortion & Ransom Demands
Zero-Day Exploitation
Supply Chain Risks

Recommendation

Organizations may check if they’re affected by the breach from https://exposure.cloudsek.com/oracle.

CloudSEK has also provided some mitigation steps for affected organizations:

Rotate Credentials Immediately: Update all Single Sign-On (SSO), LDAP, and related credentials, while implementing robust password policies and Multi-Factor Authentication (MFA) for enhanced security.
Conduct Incident Response and Forensics: Perform an in-depth investigation to uncover any unauthorized access and take measures to minimize further risks.
Monitor Threat Intelligence: Keep a close watch on dark web platforms and forums to detect any discussions or activity linked to the leaked data.

Source

https://www.cloudsek.com/blog/the-biggest-supply-chain-hack-of-2025-6m-records-for-sale-exfiltrated-from-oracle-cloud-affecting-over-140k-tenants https://www.cloudsek.com/blog/part-2-validating-the-breach-oracle-cloud-denied-cloudseks-follow-up-analysis