A significant security breach has been discovered in Oracle’s cloud infrastructure, potentially exposing sensitive data of over 6 million users. Despite Oracle’s official denials, mounting evidence suggests a widespread compromise of the company’s federated SSO servers, raising serious concerns about cloud security integrity.
Breach Details and Attack Vector Analysis
The security incident came to light when a threat actor operating under the alias “rose87168” published stolen Oracle Cloud data on BreachForums. The compromised data includes encrypted SSO passwords, Java Keystore (JKS) files, and critical enterprise management keys. The attacker provided substantial proof of the breach, including database text files, LDAP information, and a comprehensive list of more than 140,000 affected corporate domains.
Technical Investigation Reveals Critical Vulnerability Exploitation
Security researchers at Cloudsek have identified that the compromised server (login.us2.oraclecloud.com) was running an outdated version of Oracle Fusion Middleware 11g. The server was vulnerable to CVE-2021-35587, a critical security flaw that enables unauthorized access to Oracle Access Manager. This vulnerability highlights the crucial importance of maintaining current security patches and regular system updates.
Independent Verification and Impact Assessment
Multiple affected organizations have anonymously confirmed the authenticity of the leaked data through independent investigations conducted by Bleeping Computer. The verification process included validation of LDAP information, user credentials, and email addresses. The attacker’s ability to create files directly on Oracle Cloud servers provides additional confirmation of the breach’s severity.
Who Is Affected?
Any organization using Oracle Cloud Infrastructure (OCI) services with federated identity management via Oracle Access Manager or Oracle Fusion Middleware is potentially impacted. The exposure of 140,000+ corporate domains suggests this is not a targeted attack but a broad infrastructure compromise. Particularly at risk are enterprises that:
- Use Oracle Cloud SSO for employee authentication to internal systems
- Store Java Keystore files or enterprise management credentials in Oracle Cloud environments
- Have not rotated credentials or reviewed access logs since early 2025
- Run Oracle Fusion Middleware 11g without applying patches released after 2021
What Organizations Should Do Immediately
- Rotate all SSO credentials, LDAP passwords, and Java Keystore files used in Oracle Cloud environments
- Patch Oracle Fusion Middleware to the latest version to close the CVE-2021-35587 attack vector
- Audit Oracle Cloud access logs for suspicious activity between January and March 2025, paying attention to unexpected file creation events
- Implement multi-factor authentication on all Oracle Cloud management consoles and SSO endpoints
- Conduct a comprehensive security audit of all cloud-based assets and revoke any unnecessary service account privileges
While Oracle maintains its position denying the breach, the cybersecurity community emphasizes the need for transparency and prompt incident response. Organizations utilizing Oracle Cloud services should treat this incident as a trigger for an immediate credential rotation and access review, regardless of vendor confirmation.
