Full Report
The Cybersecurity and Infrastructure Security Agency on Wednesday said that while the scope of the reported Oracle issue remains unconfirmed, it "presents potential risk to organizations and individuals."
Analysis Summary
# Vulnerability: Oracle Legacy Server Credential Theft and Exposure
## CVE Details
- CVE ID: N/A (This is reported as a data breach/incident involving compromised **legacy** systems, not a single, publicly tracked CVE for a specific software flaw.)
- CVSS Score: N/A (Severity is high based on impact, but no standardized CVSS score available for this specific incident summary.)
- CWE: N/A (Likely related to insecure configuration or end-of-life system management, but not explicitly stated as a single CWE.)
## Affected Systems
- Products: Oracle systems handling customer data, specifically mentioned:
- Legacy Oracle servers (external to OCI)
- Oracle Cloud Infrastructure (OCI) related Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems (affected via credential leakage).
- Versions: Obsolete/Legacy servers. Specific version numbers are not provided.
- Configurations: Systems that held client credentials, usernames, emails, passwords, authentication tokens, and encryption keys.
## Vulnerability Description
Hackers successfully accessed and exfiltrated user names, encrypted passwords, key files, and other sensitive information from two obsolete Oracle servers that were explicitly stated by Oracle to *not* be part of Oracle Cloud Infrastructure (OCI). Despite Oracle's statements, security firms confirmed that the stolen data, estimated at 6 million records affecting over 140,000 tenants, originated from credentials potentially linked to Oracle Cloud's SSO and LDAP systems. The compromise involves the exposure of critical credential material.
## Exploitation
- Status: Exploited in the wild (Data stolen and offered for sale by threat actor "rose87168").
- Complexity: Low (Threat actor successfully exfiltrated credentials; decryption efforts are ongoing).
- Attack Vector: Likely Network (Access to legacy, potentially internet-facing servers).
## Impact
- Confidentiality: High (Usernames, encrypted passwords, key files, and authentication tokens stolen).
- Integrity: Medium (Potential for privilege escalation and network movement within victim environments).
- Availability: Low (Primary impact is data exposure, not system downtime).
## Remediation
### Patches
- No specific patch information is provided as the root cause appears to be the compromise of **obsolete/legacy** infrastructure, requiring remediation through system decommissioning or migration.
### Workarounds
- **Reset all passwords** for any affected services (those using credentials potentially compromised in the breach).
- Review source code for potential issues where exposed credentials may have been embedded.
- Monitor authentication logs for anomalous activity.
- Immediately report any related incidents to relevant authorities.
## Detection
- Indicators of Compromise: Presence of login attempts using compromised usernames/passwords from unusual locations or involving authentication tokens/keys mentioned in the breach.
- Detection Methods and Tools: Monitoring authentication logs for high volumes of failed or successful anomalous login attempts against SSO/LDAP systems. Analysis of network traffic for known threat actor command-and-control communication (if applicable).
## References
- CISA Alert regarding credential risks associated with potential legacy Oracle Cloud compromise: cisa dot gov/news-events/alerts/2025/04/16/cisa-releases-guidance-credential-risks-associated-potential-legacy-oracle-cloud-compromise
- Vendor communications regarding the incident (private customer emails).
- Third-party analysis from CloudSEK and CybelAngel regarding 6 million records for sale.