Possibly the biggest supply chain breach of 2025 involved over 140,000 compromised Oracle cloud tenants, which exposed more than 6 million records, with attackers maintaining access for months before discovery. The Oracle Cloud breach is one of the largest incidents against a major cloud provider ever, which explains why the company was reluctant to admit that it even happened.
The attack originated from an unmonitored, legacy Oracle Access Manager (OAM) server, which was exposed to CVE-2021-35587, a vulnerability in the authentication component that allowed remote attackers to bypass access controls and gain unauthorized entry.
The fact that this vulnerable server setup was allowed to remain active in one of the world’s largest cloud providers shows that security has become too reliant on reactive modes of defense. For that reason, Gartner is urging organizations to adopt Continuous Threat Exposure Management (CTEM), a proactive framework designed to continuously identify, assess, and remediate exposures before attackers can exploit them.
Here is how CTEM might have prevented the Oracle Cloud breach and saved thousands of companies from dealing with costly remediation bills and long-term reputational damage.
The value of continuous threat discovery
The vulnerability associated with the attack (CVE-2021-35587) was publicly disclosed in 2021. It has a published CVSS score, detailed exploit information, and detection signatures. So it is possible that the vulnerable OAM server remained undetected for up to four years.
Most commercial vulnerability scanners, such as Qualys, Nessus, or Rapid7, include plugins to identify unpatched OAM instances exposed to the internet, and would have easily flagged the server as both outdated and critically vulnerable if it had been within the scope of regular scanning.
The problem is that many organizations still rely on traditional vulnerability management that only uses scheduled scans against “known” assets. On the other hand, CTEM emphasizes continuous exposure discovery that extends across the entire attack surface, including shadow IT, legacy systems, and forgotten servers.
With that approach, organizations can flag vulnerable assets in real time and implement security measures before attackers ever find out about them.
Prioritizing vulnerabilities by business impact
After gaining an initial foothold in the OAM server, attackers were able to pivot into Oracle’s identity infrastructure, targeting critical systems like SSO and LDAP. That’s why the consequences of the breach were so severe.
Even if attackers exploit a legacy server, they should never be able to move laterally across the environment, especially not into high-value identity systems.
In a CTEM program, exposures tied to identity infrastructure are always classified as “crown jewel” assets. Ensuring the security of such systems is given priority due to the higher potential for business impact if they are compromised.
At a minimum, segmentation should be in place to separate identity systems from general traffic, along with continuous monitoring to detect abnormal authentication activity.
Measuring performance by remediation speed
According to a 2025 Clutch survey, 73% of businesses have experienced a cyber incident, and more than half (55%) were breached within just the past year. What usually separates a contained incident from a catastrophic breach is how quickly an organization can detect and remediate exposures.
The Oracle breach is a great example. Reports suggest attackers maintained persistent access for months before discovery. They had all the time in the world to identify sensitive information, extract it, and ultimately issue extortion demands.
That’s why remediation speed is a core principle in CTEM. The framework calls for organizations to measure and continuously improve Mean Time to Detect (MTTD) and Mean Time to Remediate (MTTR) as critical performance indicators.
This pushes security leaders to implement measures that ensure incidents are identified quickly, and remediated before they cause widespread damage to the business.
Transparency and communication matter
Visibility is essential in CTEM, and it doesn’t stop at technical exposures. A key principle of the framework is to ensure findings are communicated quickly and clearly across teams and stakeholders, so they can act on them promptly.
What Oracle did was the complete opposite. Internally, unmonitored systems like the OAM server went unnoticed, suggesting gaps in how exposures were tracked and escalated across teams. Externally, Oracle compounded the issue with conflicting statements and public denials, which left customers confused about the scope of the incident and uncertain about what actions to take.
Transparency is what drives trust and speed. Organizations that surface critical findings proactively and are able to communicate them to the relevant teams for remediation (whether internal or external) will stand out as trusted partners in both good and bad.
Conclusion
The Oracle Cloud breach shows that even organizations with the most resources and the latest and greatest security technologies can fall when they lack the right framework. This is a great lesson others can take on how you approach security matters much more than the number of tools or the size of the security budget.
CTEM is the perfect framework to adopt. It shifts the entire security culture from reactive to proactive, and provides much-needed structure when handling incidents or managing exposures.
