Oracle E-Business Suite Zero-Day Attack (CVE-2025-61882)

Posted on

Overview

An ongoing mass exploitation campaign targeting Oracle E-Business Suite (EBS) deployments has been discovered by CrowdStrike researchers using a hitherto unidentified vulnerability, now known as CVE-2025-61882. Attackers can exploit vulnerable EBS applications and steal confidential company information because to this vulnerability, which permits unauthenticated remote code execution (RCE).

Although several actors may be taking advantage of the same vulnerability, the campaign, which has been going on since August 2025, is thought to be associated with the financially driven threat group GRACEFUL SPIDER. According to CrowdStrike’s ongoing investigation, threat actors are using this zero-day to exfiltrate company data, install web shells, and obtain unauthorized access.

Key Findings

  • Vulnerability: CVE-2025-61882 – Unauthenticated RCE in Oracle EBS
  • First Known Exploitation: August 9, 2025
  • Patch Released: October 4, 2025
  • Attack Objective: Data exfiltration from enterprise EBS environments
  • Primary Suspect: GRACEFUL SPIDER (linked to CLOP ransomware operations)

Based on evidence like phishing emails and stolen data samples, CrowdStrike determines with a reasonable degree of confidence that GRACEFUL SPIDER started the campaign. The October 3, 2025, public publication of a proof-of-concept (POC) could, however, hasten exploitation by other threat organizations that are acquainted with Oracle EBS.

Attack Chain Analysis

1. Initial Exploitation – Authentication Bypass
Attackers begin with a crafted HTTP POST request sent to the endpoint:

/OA_HTML/SyncServlet

This request triggers an authentication bypass sequence, allowing attackers to gain unauthorized administrative access within EBS.

2. Code Execution via Malicious Templates
Once access is established, the adversaries exploit Oracle XML Publisher Template Manager, sending GET and POST requests to:

/OA_HTML/RF.jsp
/OA_HTML/OA.jsp

They then upload a malicious XSLT template, which executes arbitrary commands when previewed. This mechanism effectively delivers remote code execution.

3. Outbound Connection & Web Shell Deployment
When the malicious template is executed, it starts outgoing network connections to infrastructure under the attacker’s control (usually over port 443). Adversaries have frequently deployed web shells for persistence and command execution using this connection.
In certain incidents, a secondary infection chain was observed using:

  • FileUtils.java (downloader)
  • Log4jConfigQpgsubFilter.java (backdoor)

These components set up a memory-resident web shell accessible through a public endpoint for covert access.

Threat Actor Attribution

CrowdStrike believes GRACEFUL SPIDER is behind the campaign due to:

  • Use of CLOP-branded phishing emails
  • Sender domains matching known GRACEFUL SPIDER infrastructure (pubstorm[.]com, pubstorm[.]net)
  • Evidence of data theft shared with victims
  • Previous mass exploitation campaigns targeting public-facing apps

However, the public Telegram POC leak hints that other groups, including SCATTERED SPIDER, SLIPPY SPIDER, or ShinyHunters, could also be involved, leading to wider opportunistic attacks post-disclosure.

Indicators of Compromise (IOCs)

Oracle’s advisory provides IOCs including:

  • Suspicious outbound connections
  • Commands executed from template preview endpoints
  • Web shell file names and malicious XSLT templates

Administrators should also monitor for:

  • Abnormal sessions using UserID 0 (sysadmin) or UserID 6 (guest)
  • Suspicious entries in xdo_templates_vl and icx_sessions tables

Risk & Impact

  • Severity: Critical
  • Impact: Full compromise of Oracle EBS environment
  • Scope: Internet-exposed EBS instances
  • Exploitation: Active in the wild, multiple threat actors likely involved

The release of a POC exploit combined with public patch details significantly increases the risk of widespread opportunistic attacks. Organizations with unpatched Oracle EBS systems are at immediate risk.

Mitigation & Recommendations

  • To defend against CVE-2025-61882 exploitation, CrowdStrike and Oracle recommend the following actions:
  • Apply the October 2025 Oracle Patch Immediately
    • Ensure all affected EBS instances are updated.
  • Audit Outbound Connections
    • Investigate unknown or suspicious traffic from EBS servers.
  • Review Database Templates
    • Search for malicious XSLT templates in xdo_templates_vl.
  • Check for Suspicious Sessions
    • Focus on sysadmin and guest account anomalies in icx_sessions.
  • Restrict Internet Exposure
    • Consider temporarily isolating EBS from public networks.
  • Deploy a Web Application Firewall (WAF)

Leave a Reply

Your email address will not be published. Required fields are marked *