Overview
- Oracle says some E‑Business Suite customers received extortion emails and its probe indicates potential exploitation of vulnerabilities addressed in the July 2025 Critical Patch Update.
- Mandiant and Google GTIG report a high‑volume campaign sent from hundreds of compromised third‑party accounts, with at least one previously tied to FIN11 activity.
- Contact addresses in the emails match those listed on Cl0p’s data leak site, but investigators say attribution and the scope of any data theft remain unverified.
- Incident responders cited by outlets report seven‑ and eight‑figure demands, including a case at $50 million, and alleged screenshots or file trees that have not been independently validated.
- Some reporting suggests attackers may have abused compromised user emails and default password‑reset flows to obtain EBS credentials, and organizations are urged to apply July patches, audit access, and review logs.