On March 21, security threat intel vendor CloudSEK published a report on a forum post from a threat actor claiming to have exfiltrated around 6 million records from Oracle Cloud SSO and LDAP, made the previous day. Included in the dumped data are JKS (Java Keystore) files, encrypted SSO passwords, key files, and enterprise manager JPS keys. CloudSEK’s communication with the threat actor suggests a possible undisclosed vulnerability affecting Oracle Cloud login infrastructure.

Technical Details

• Included in the roughly 6 million lines of dumped data are
  • JKS files
  • encrypted SSO passwords
  • hashed LDAP passwords
  • key files
  • enterprise manager JPS keys
• Going by “rose87168”, the actor is selling these dumped records as well as o ering a portion of the data in return for help decrypting SSO passwords and/or cracking LDAP passwords.
• Over 140,000 tenants are a ected.
• The threat actor is coercing a ected organizations to “pay a speci c amount to remove their employees’ information from the list before it’s sold.”

While it is currently unknown whether a vulnerability was exploited, this appears to have been the case. According to CloudSEK:

“it can be ascertained with medium con dence that the threat actor used an undisclosed vulnerability on Oracle WebLogic servers used for hosting the login pages for oraclecloud.com. By exploiting login endpoints for all regions, the threat actor was subsequently able to dump data pertaining to the underlying tenants.”

Mitigation

Affected organizations should change all SSO, LDAP, and associated credentials. Ensure passwords are strong and MFA is enforced. Additionally, report the issue to Oracle for verification of a possible zero-day and seek further mitigation.

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation and send an advisory update if needed. If this breach is found to have been due to a yet-undisclosed vulnerability, clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.

References

• https://www.cloudsek.com/blog/the-biggest-supply-chain-hack-of-2025-6m-records-for-sale-exfi ltrated-from-oracle-cloud-aff ecting-over-140k-tenants