Thought Leadership
The security company CloudSEK reports that an attacker has gained access to Oracle Cloud infrastructure – but Oracle vehemently denies this.
The security firm CloudSEK has uncovered a suspected serious cyberattack on the Oracle Cloud via its XVigil platform. According to the report, six million data records were stolen, which could potentially affect more than 140,000 clients. An attacker identified as “rose87168” is said to be behind the attack and to have stolen sensitive data – including JKS files, encrypted SSO passwords, key files and Enterprise Manager JPS keys. According to media reports, this information is already being offered for sale on breach forums and other darknet marketplaces.
Attacker demands ransom
According to CloudSEK, the attacker has been active since January 2025 and claims to have compromised the login.us2.oraclecloud.com subdomain. This has since been shut down. According to a screenshot of the Wayback Machine from February 17, 2025, Oracle Fusion Middleware 11G was running on the affected subdomain. The perpetrator is demanding ransom payments from the affected clients for the deletion of their data.
As reported by Bleeping Computer, the attacker bragged about having created a text file on the Oracle cloud login server. This file was archived by the Internet Archive’s Wayback Machine in early March and is said to serve as proof of the compromised state of the systems. The text file only contains the email address of the person attempting to sell the allegedly stolen Oracle Cloud data.
Exploiting a known security vulnerability?
CloudSEK’s analysis indicates that the attacker may have compromised a vulnerable version of the Oracle cloud servers. The security experts cite the older vulnerability CVE-2021-35587, which affects Oracle Fusion Middleware (OpenSSO Agent) in the following versions: 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0, as a probable point of entry.
This vulnerability was added to the CISA-KEV catalog in December 2022 and allows unauthenticated attackers to compromise Oracle Access Manager, potentially leading to a complete takeover. This is consistent with the type of exfiltrated data published by the attacker. The exploit could allow attackers to gain initial access to the environment and then move laterally within the Oracle Cloud environment to access other systems and data.
Upon further investigation, it was determined that the Oracle Fusion Middleware Server was last updated on September 27, 2014, indicating outdated software.
“Due to poor patch management practices and/or insecure programming, the vulnerability in Oracle Fusion Middleware was exploited by the attacker. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager,” CloudSEK researchers explained in a blog post.
Oracle firmly rejects allegations
However, Oracle has published a statement in which the company denies any attack on its cloud infrastructure: “There was no attack on Oracle Cloud. The published credentials do not belong to Oracle Cloud. No Oracle Cloud customers have experienced an attack or lost data.” This statement is in direct contradiction to the findings of CloudSEK and the attacker’s claims.
