On March 21, 2025, CloudSEK reported that a threat actor using the alias "rose87168" is claiming to have exfiltrated over 6 million records from Oracle Cloud’s SSO and LDAP systems. According to CloudSEK’s assessment, the leaked data includes sensitive authentication materials such as JKS files, encrypted passwords, and key files. The actor is reportedly offering the data for sale and urging affected organizations to pay for its removal. These claims, if verified, could implicate over 140,000 Oracle Cloud tenants, but at the time of writing, Oracle has denied any breach, claiming that the published credentials are not for Oracle Cloud. As of March 23, 2025, actual impact isn't clear.
CloudSEK’s analysis suggests the attacker may have exploited an undisclosed vulnerability in an Oracle Cloud login endpoint (login.region-name.oraclecloud.com). One potential vector is CVE-2021-35587, a known critical vulnerability in Oracle Access Manager (OpenSSO Agent) associated with Oracle Fusion Middleware. The affected endpoint (login.us2.oraclecloud.com) was reportedly last updated in 2014 and may have been running legacy middleware versions.
While the attacker’s claims have not been independently verified, CloudSEK's findings indicate that the accessed data includes JPS keys, key stores, and encrypted credentials. A text file allegedly uploaded by the threat actor and subsequent darknet activity point to possible exploitation of outdated systems. There is currently no public proof of concept or confirmed exploit path, and Oracle has denied the occurrence of any security incident related to this claim.