Threat actors successfully breached the financial system of dozens of large firms by exploiting a hidden security flaw in Oracle’s widely used E-Business Suite (EBS). The attacks probably started months ago and incorporated a highly sophisticated approach —‘fileless’ malware — to access the large pool of sensitive data from endangered databases before asking for ransom from targeted companies. In this article, we will explain Oracle EBS attacks that recently left netizens shocked and concerned.
The Zero-Day and Scope of Oracle EBS Attacks
The attacks were first noticed by Google Threat Intelligence Group (GTIG) and Mandiant after the use of Oracle EBS by the industry leaders. EBS is basically a tool for managing the finances of large companies, which started receiving extortion emails due to the recent Oracle EBS attacks. The main issue lay in the highly critical security flaw that Oracle failed to fix —CVE-2025-61882. This type of vulnerability is called ‘zero-day’, which enables hackers to launch unauthorized code on a target’s infrastructure without a password.
Security researchers unveiled that the campaign successfully impacted many of the firms and allowed the invaders to steal a large amount of data. The scale and sophistication of the operation instantly warned of the involvement of a key, well-resourced attacker. It has been confirmed that CI0p was involved in the attacks, and they were successful in breaching data from the EBS starting in August.
At first, Oracle stated that the attacks may include exploitation of unknown vulnerabilities patched in July. However, on October 4, the tech giant confirmed that a zero-day flaw had been exploited.
Here is how you can prevent your business from account takeovers using IP Intelligence.
A ‘Fileless’ Malware
To make the Oracle EBS attacks possible, the threat actors used sophisticated, multi-stage malware, which was developed mainly to prevent detection. Instead of installing conventional software files, the invaders incorporated a corrupt template within the endangered Oracle EBS databases.
According to researchers, two main branches of these tools, named ‘fileless’ malware, were incorporated into the Oracle EBS attacks. They remain in memory or within the database structure, making it difficult for standard security software to identify them. GoldVein.Java was dubbed a downloader to extract a second-stage defense.
The second category was complicated, as well as a multi-layered chain of Java programs:
- SageGift began the process
- SageLeaf followed, sowing the seeds
- SageWave was the last deployment tool that allowed hackers to access and steal data.
Extortion and Financial Operation
The final goal of Oracle EBS attacks was financial. After stealing the data, the invaders sent extortion emails directly to the organizational executives, asking for money in exchange for data protection. The emails tried to use the image of the notorious ransomware group CI0p, a strategy often used to increase concern and compliance.
Nevertheless, the forensic analysis conducted by Mandiant and GTIG revealed that the digital fingerprints are of a different group that is equally harmful. Oracle EBS attacks a collective known as FIN11. This group is not renowned for large-scale data theft, and the approaches and techniques used in this attack strongly suggest past operations related to the group. Historically, FIN11 targets widely used company software with zero-day flaws to increase its number of targets.
Exploitation Started Earlier
One of the most concerning facts unfolded by the reports is the timeline of Oracle EBS attacks. The attacks were publicly announced in early October, but the exploitation of the zero-day flaw started back in July 2025.
This timeline is critical since it happened just before Oracle launched its scheduled security patches for other concerns in July. This suggests that the invaders were either testing their extortion campaign or actively targeting the systems for two months before the security experts could identify the vulnerabilities. This is how the cybercriminals remained undetected from the beginning. However, the full extent of Oracle EBS attacks and their impact is still unknown.
Here is how to prevent ransomware attacks by strengthening network defenses.
Proof-of-concept (PoC) Was Real?
Indicators of Compromise (IoCs) posted by Oracle revealed that the leaked Proof-of-Concept was original, which was later confirmed by an analysis of the PoC carried out by a security company WatchTowr.
The exploit chain shows a higher level of effort and experience, with a minimum of five different bugs brought together to make Remote Code Execution possible. The cybersecurity industry expects other hackers to use CVE-2025-61882 in their arsenal, and they may still have sufficient targets to target.
As reported, Censys experienced more than 2000 internet-exposed cases of Oracle EBS. The Shadowserver Foundation has found more than 570 significant vulnerabilities. Both Censys and Shadowserver experienced a higher number of Oracle EBS attacks in the US and China.
The overall sequence of events was broken down by a recent report.
- Send an HTTP POST request including a curated XML to /OA_HTML/configurator/UiServlet to influence the backend server to send arbitrary HTTP requests using a Server-Side Request Forgery (SSRF)
- Utilize a carriage return/line feed injection to launch arbitrary headers in the HTTP request influenced by pre-authenticated SSRF
- Utilize this vulnerability to transfer requests to an internet-exposed Oracle EBS application and inject a harmful XSLT template.
- The Oracle EBS attacks exploit the opportunity that the JSP file can load an unknown stylesheet from a remote URL. This, unfortunately, opens the door for the threat actors to make the arbitrary code execution successful.
The company stated that this combination allows an attacker to control request framing through the SSRF and then make use of the same TCP connection to chain more requests. This increases reliability and reduces noise.
CI0p has been using many vulnerabilities in Oracle EBS since July-August and has successfully stolen huge amounts of data from multiple victims. Evidently, the company believes that CI0p is involved in this, and they expect to see the full extent, indiscriminate exploitation from different groups within days. If you work on Oracle EBS, this is the time to stop. Patch instantly, explore aggressively, and strengthen the controls quickly. Instead, you can choose these applications for your industry.
Google recommended that the Oracle EBS users use emergency patches instantly, track malicious templates in the database, limit outbound internet access, track and analyse network logs, and use memory forensics. The company also published a list of indicators of compromise.
