Resecurity and watchTowr researchers have analyzed the leaked scripts used by attackers to exploit CVE-2025-61882 on internet-facing Oracle ESB instances.
Whether the attackers were Cl0p or LAPSUS$, both, or even additional threat actors is still unknown, as the scripts have been leaked on Telegram.
CVE-2025-61882 exploit scripts analyzed
“What we have observed is that CVE-2025-61882 (…) is not ‘just’ one vulnerability. It is a poetic flow of numerous small/medium weaknesses,” watchTowr researchers Sina Kheirkhah and Jake Knot noted.
“This is noteworthy because (…) whoever first discovered these vulnerabilities and chained them clearly knows Oracle EBS incredibly well at this point.”
Two Python scripts are required to pull off the attack: Server.py, an HTTP server implementation and exp.py, an exploit client that coerces the Oracle EBS server into fetching the attacker’s malicious payload.
“Using the exp.py script, the attacker sends a specially crafted HTTP request to the target Oracle EBS instance. This request includes a return_url parameter that references the attacker’s payload server. To evade basic security filters, the URL is encoded using numeric HTML character entities. This causes the EBS server to fetch and process content from the attacker-controlled server, effectively executing a server-side request forgery (SSRF),” Resecurity researchers explained.
“Upon following the return_url, the EBS application retrieves the malicious XSL file. The file includes an embedded JavaScript payload that is decoded and executed using Java’s javax.script API.”
Once the payload is executed, the EBS server initiates a reverse shell connection back to the attacker’s listener. “The shell typically runs under the Oracle user context, granting the attacker interactive access to the target system’s operating environment,” the researchers added.
More attacks expected
It’s still unclear whether the attackers only used CVE-2025-61882 to breach Oracle EBS instances or other vulnerabilities, as well. Oracle initially said that the attackers leveraged flaws patched in July 2025, but has since removed that particular post.
What’s almost certain is that these and likely other attackers will continue to leverage the leaked exploit scripts to target Oracle EBS instances exposed on the internet.
According to Mandiant, exploitation of the flaw and subsequent data theft attacks started in August 2025.
Many of the affected organizations already know they’ve been hit, as they’ve received the Cl0p extortion emails. But all organizations with internet-facing Oracle EBS instances should check for indicators of compromise that Oracle provided in the CVE-2025-61882 security advisory, and update the instances with all the provided fixes as instructed.
WatchTowr researchers have published a script that can be used to check whether an Oracle E-Business Suite instance is vulnerable to CVE-2025-61882, and CISA has added CVE-2025-61882 to its Known Exploited Vulnerabilities catalog.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
