CISA Warns of Credential Risks Linked to Oracle Cloud Compromise

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority advisory following reports of unauthorized access to a legacy Oracle Cloud environment. 

While Oracle disputes claims of a significant breach, CISA warns that the incident could pose substantial risks to both organizations and individuals, particularly where sensitive credential material may have been exposed or reused across multiple systems.

Alleged Oracle Cloud Breach

The alert follows reports from March 21, 2025, of a threat actor operating under the alias “rose87168” who claimed to have exfiltrated approximately 6 million records from Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems. 

These records reportedly contain sensitive authentication data, including Java KeyStore (JKS) files, encrypted SSO passwords, and enterprise manager Java Platform Security (JPS) keys that could affect over 140,000 tenant organizations.

According to investigators, the attacker exploited CVE-2021-35587, a critical vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware that allows unauthenticated attackers with network access via HTTP to gain complete control of the system. 

The compromised server reportedly hosted Oracle Fusion Middleware 11G, which, according to security researchers, had not been updated since September 2014.

“The compromise of credential material, including usernames, emails, passwords, authentication tokens, and encryption keys, can pose significant risk to enterprise environments,” CISA stated in its advisory. 

The agency warned that threat actors routinely weaponize such credentials to escalate privileges, move laterally within networks, access cloud systems, conduct phishing campaigns, and sell stolen data on criminal marketplaces.

CrowdStrike and the FBI have investigated the incident, which reportedly involved deploying a web shell and malware on Oracle’s Gen 1 Cloud Classic servers. 

Despite Oracle’s official denials of any breach, security researchers have presented additional evidence supporting the compromise claims, noting they “suspect the actor leveraged a zero-day vulnerability or misconfiguration in the OAuth2 authentication process”.

CISA Recommendations

CISA has outlined several mitigation strategies for organizations potentially affected by the breach:

• Reset passwords for all known affected users across enterprise services.
• Review source code and configuration files for hardcoded credentials.
• Implement centralized secret management solutions.
• Monitor authentication logs for anomalous activities.
• Enforce phishing-resistant multi-factor authentication (MFA).

For individual users, CISA recommends immediately updating potentially affected passwords, especially those reused across platforms, implementing strong unique passwords, enabling MFA where available, and remaining vigilant against phishing attempts that may reference login issues or password resets.

“When credential material is embedded, it is difficult to discover and can enable long-term unauthorized access if exposed,” CISA noted, highlighting particular concerns about hardcoded credentials in scripts, applications, and infrastructure templates.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy