Oracle faces escalating scrutiny over two major security incidents, with evidence contradicting the company’s denials and raising questions about its transparency and vulnerability management practices.
The subsidiary, formed after Oracle’s $28 billion acquisition of Cerner in 2022, notified clients in March 2025 about a breach involving legacy servers containing patient data. Hackers exploited compromised customer credentials to access systems between January 22 and February 20, 2025, exfiltrating data to a remote server.
“We are writing to inform you that, on or around February 20, 2025, we became aware of a cybersecurity event involving unauthorized access to some amount of your Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud,” a notification to affected healthcare providers stated.
While Oracle claims the breach may have included patient information, internal sources confirm sensitive data was stolen, including electronic health records (EHRs). The company has shifted responsibility to clients, advising them to determine whether the breach triggers HIPAA notification requirements and offering templates for patient alerts.
A separate incident involving Oracle Cloud’s authentication systems has drawn criticism after threat actor “rose87168” claimed to have stolen 6 million records, including encrypted SSO passwords, LDAP credentials, and security certificates. The attacker allegedly exploited CVE-2021-35587, a vulnerability patched in 2022 but left unaddressed on Oracle’s SSO servers.
“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data,” said a spokesperson from Oracle.
However, cybersecurity researchers and affected clients dispute this. CloudSEK confirmed the stolen data’s legitimacy, while Hudson Rock’s Alon Gal verified samples with Oracle customers.
The breaches show systemic issues in Oracle’s patch management and communication. CVE-2021-35587, a known vulnerability in Oracle Access Manager, was exploited via the login endpoint login.us2.oraclecloud.com, which remained unpatched despite being flagged in 2021.
Researchers suspect the attacker leveraged either a zero-day flaw or misconfiguration in OAuth2 authentication.
The incidents have eroded trust, with experts urging Oracle to adopt clearer disclosure protocols. While the company maintains its systems are secure, independent analyses and customer confirmations suggest otherwise.