Critical Patches & Breaches: Oracle EBS, GoAnywhere, Salesforce
Weekly Threat Analysis — Oct 7–14, 2025 (EU/Lisbon)
Source: Trescudo Intelligence • Author: Evangeline Smith, MarCom
Reviewed by: Derick Smith (CEO) & Marçal Santos (CISM, CDPSE)
Last updated: Oct 14, 2025
Executive summary
Oracle E-Business Suite under sustained pressure. After the zero-day exploitation now tracked as CVE-2025-61882, Oracle issued a second emergency patch for CVE-2025-61884 (unauthenticated data exposure) — reinforcing urgency for EBS customers. (Google Cloud)
Salesforce ecosystem extortion continues. The Scattered LAPSUS$ Hunters group leaked data from multiple Salesforce customers after law-enforcement disruption; Qantas confirmed ~5M customer records were posted. Salesforce maintains its core platform wasn’t breached. (BankInfoSecurity)
Healthcare breach disclosures tick up. SimonMed Imaging notified ~1.27M individuals of PHI exposure stemming from a January incident (letters started Oct 10). (The HIPAA Journal)
Critical MFT zero-day actively exploited. GoAnywhere MFT (CVE-2025-10035) shows credible in-the-wild exploitation (Storm-1175/Medusa). Patch or isolate admin consoles immediately. (Microsoft)
Macro picture (UK/EU): The UK NCSC Annual Review 2025 reports 50% more “highly significant” incidents year-on-year; EU ENISA ETL 2025 highlights convergent, state-aligned & criminal tradecraft. (NCSC)
Notable breaches & attacks
1) Oracle E-Business Suite: from 0-day to second emergency patch
What’s new: Following reports that Oracle EBS customers were hit via a 0-day (now CVE-2025-61882), Oracle released Security Alert CVE-2025-61884 (info-disclosure via Configurator Runtime UI, EBS 12.2.3–12.2.14). Apply both mitigations/patches and review exposure. (Google Cloud)
Why it matters: Two emergency fixes in two weeks suggest broader hardening work is needed in many EBS estates. Action: inventory internet-facing endpoints, restrict access (VPN/private), and monitor for exfiltration. (CSO Online)
2) Salesforce customer data extortion — leaks begin
What’s new: After the FBI disrupted infrastructure used by Scattered LAPSUS$ Hunters, the group leaked data from several Salesforce customers; Qantas says ~5M customer records were posted (no payment/passport data per reports). Salesforce reiterates no breach of its core platform. (CSO Online)
Why it matters: This is supply-chain/partner exposure: integrated apps/partners (Salesloft, etc.) become the weak link. Action: rotate OAuth tokens/API keys, review vendor IR SLAs, and stand up phishing comms for impacted audiences. (TechRadar)
3) Healthcare: SimonMed breach notification (~1.27M affected)
What’s new: SimonMed Imaging began sending letters Oct 10 over a January 2025 cyber incident, confirming 1,275,669 individuals impacted (PHI included). (The HIPAA Journal)
Why it matters: Expect targeted fraud (insurance/benefits) and regulatory follow-up. Action: notify payors/partners as needed, enable identity monitoring, and update breach FAQs for patients. (BleepingComputer)
4) Asahi ransomware fallout — financials delayed
What’s new: Asahi Group delayed Q3 results due to the Sept 29 ransomware attack (claimed by Qilin); systems, shipments and accounting were disrupted. (Reuters)
Why it matters: Classic operational impact + disclosure risk; shows how ransomware drives financial reporting delays. Ensure your investor-relations comms are in the IR plan.
5) Public sector: USAF SharePoint exposure probe
What’s new: The U.S. Air Force is investigating a SharePoint permissions incident with potential PII/PHI exposure; some reports noted broad SharePoint/Teams/Power BI restrictions during triage. (TechRadar)
Why it matters: Revisit least-privilege & sharing defaults on collaboration platforms; validate that sensitive libraries require step-up auth. (The Register)
Actively exploited vulnerabilities & platform risk
GoAnywhere MFT — CVE-2025-10035 (CVSS 10).
Evidence of zero-day exploitation predating the vendor advisory; Microsoft attributes activity to Storm-1175 with Medusa deployments observed. Patch to 7.8.4 / 7.6.3 SR, pull admin console off the public internet, and hunt forSignedObject.getObject. (Microsoft)Cisco ASA/FTD — ED-25-03 remains in force.
If you still have internet-exposed ASA/FTD, complete patching/forensics per CISA/Cisco guidance and rotate creds. (Tenable®)Trend outlook: The UK NCSC reports 204 “nationally significant” incidents in the past year (up from 89), and 18 “highly significant” — ~50% increase. ENISA’s ETL points to convergent tools across state-aligned & criminal groups. (NCSC)
Sector lens (EU/UK focus)
Retail & consumer: Salesforce ecosystem leak shows partner sprawl risk. Review token hygiene, third-party MFA/IP allow-listing, and breach comms templates. (TechRadar)
Manufacturing & beverages: Asahi’s delay underlines OT/IT dependencies and financial materiality. Ensure manual runbooks and backup restores are tested for ERP & logistics. (Reuters)
Healthcare: SimonMed’s disclosure cadence = reminder to validate HIPAA/GDPR notification workflows and update patient-facing FAQs. (The HIPAA Journal)
Public sector: Collaboration platform permission drift is a top risk. Run tenant-wide sharing audits and enforce conditional access for sensitive sites. (Air & Space Forces Magazine)
What to do this week (priority actions)
Oracle EBS: Apply CVE-2025-61884 security alert patches and ensure prior 0-day (61882) mitigations are in place. Restrict public access, enable WAF/monitoring, and hunt for anomalous downloads/exports. (Oracle)
Salesforce ecosystem: Inventory connected apps/partners; rotate OAuth/API keys, tighten scopes, and enable MFA everywhere. Prep customer comms for potential phishing waves. (TechRadar)
GoAnywhere MFT: Patch to 7.8.4 / 7.6.3 SR, remove admin console from the internet, and search logs for
SignedObject.getObject. Conduct compromise assessment for Storm-1175/Medusa TTPs. (Microsoft)Boards/Execs (UK/EU): Align with NCSC Annual Review guidance: treat cyber as operational resilience; verify tabletop cadence, supplier IR SLAs, and restore tests. (NCSC)
Methodology
This brief covers developments observed Oct 7–14, 2025 (Europe/Lisbon), prioritizing primary sources (vendor advisories, regulators, reputable outlets). It is not legal advice; confirm actions against your own policies and regulatory duties.
Sources & links
Oracle E-Business Suite: Google Threat Intel (0-day/CVE-2025-61882) (Google Cloud) • Oracle Security Alert CVE-2025-61884 (official) (Oracle) • CSO Online explainer (today) (CSO Online)
Salesforce ecosystem extortion: BankInfoSecurity (leaks post-FBI action) (BankInfoSecurity) • The Guardian (Qantas data leak ~5M) (The Guardian) • TechRadar Pro (campaign context & victims) (TechRadar) • Reuters initial claims (Oct 3) (Reuters)
SimonMed Imaging: HIPAA Journal breach notice (1,275,669) (The HIPAA Journal) • BleepingComputer (news) (BleepingComputer)
Asahi Group: Reuters (financials delayed; Qilin claim) (Reuters)
USAF SharePoint: TechRadar Pro (incident summary) (TechRadar) • Air & Space Forces Magazine (official statements) (Air & Space Forces Magazine)
GoAnywhere MFT: Microsoft Security Blog (Storm-1175/Medusa) (Microsoft) • Fortra investigation update (limited unauthorized activity; patch guidance) (goanywhere.com) • CISA KEV entry (active exploitation) (CISA)
UK macro picture: NCSC Annual Review 2025 (PDF) (NCSC) • NCSC incident stats page (nationally/highly significant) (NCSC) • Reuters recap (business leader warning) (Reuters)
EU macro picture: ENISA ETL 2025 press & report hub (ENISA)