Oracle Scheduler Abused to Breach Corporate Networks

Threat actors have increasingly exploited Oracle Scheduler to breach corporate networks by abusing its External Jobs feature. Recent incidents show attackers executing system-level commands through extjobo.exe, gaining unauthorized access even in segmented environments. Researchers observed adversaries initiating attacks by scanning for exposed Oracle listener ports and exploiting misconfigured or default credentials.

Once inside, Oracle Scheduler was abused to breach deeper into systems by spawning encoded PowerShell commands. Attackers used Base64 payloads piped directly through extjobo.exe, bypassing script execution policies and avoiding disk-based detection. Several cases involved creating local admin accounts, exfiltrating data, and deploying ransomware operations disguised as routine database jobs.

Logs revealed repeated failed login attempts followed by successful SYSDBA access, suggesting brute-force or credential harvesting. Adversaries cleaned up traces by deleting batch files and scheduled tasks post-execution. Analysts recommend enforcing strict scheduler privileges and monitoring extjobo.exe anomalies to prevent misuse.

Read the full report at

Threat Actors Leverage Oracle Database Scheduler to Gain Access to Corporate Environments