A novel zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61882) is being actively exploited in a large-scale data exfiltration campaign, with CrowdStrike Intelligence attributing primary involvement to the GRACEFUL SPIDER threat group and warning that public proof-of-concept details will spur further attacks.
On August 9, 2025, the first suspected exploitation of an unauthenticated remote code execution vulnerability in Oracle E-Business Suite emerged, although ongoing investigations may adjust this date.
CrowdStrike Intelligence tracks the zero-day—now cataloged as CVE-2025-61882—as the likely root cause of a mass exploitation campaign targeting internet-exposed EBS applications for data theft.
By September 29, 2025, GRACEFUL SPIDER operatives had emailed multiple organizations claiming to have accessed and extracted sensitive data from victims’ Oracle EBS environments.
Complicating attribution, on October 3, 2025, a Telegram channel participant posted what appears to be a weaponized exploit for CVE-2025-61882, insinuating collaboration among SCATTERED SPIDER, SLIPPY SPIDER, and ShinyHunters.
This post included a SHA256 hash (76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d) and criticized GRACEFUL SPIDER’s tactics.
Oracle’s security advisory later published the same proof-of-concept (POC) as an indicator of compromise, indicating the vendor’s view that the exploit is already in the wild.
While CrowdStrike cannot rule out multiple threat actors exploiting this vulnerability the observed patterns of exploitation align closely with the POC’s activity and GRACEFUL SPIDER’s known methods.
Oracle E-Business Suite 0-Day
Oracle disclosed CVE-2025-61882 on October 4, 2025, describing an unauthenticated RCE vulnerability within Oracle E-Business Suite.
The exploit chain begins with an HTTP POST request to /OA_HTML/SyncServlet, bypassing authentication—often impersonating an administrative account—and paving the way for code execution via the XML Publisher Template Manager.

Adversaries issue GET and POST requests to /OA_HTML/RF.jsp and /OA_HTML/OA.jsp to upload a malicious XSLT template, which executes arbitrary commands when previewed.
Successful exploitation establishes an outbound connection from the Java web server process to attacker-controlled infrastructure over port 443.
CrowdStrike has observed threat actors using this channel to remotely deploy web shells, granting persistence and further command execution capabilities.
In several incidents, the adversary loaded FileUtils.java, which in turn fetched Log4jConfigQpgsubFilter.java. These files functioned respectively as the downloader and backdoor, with the latter invoked via a doFilter chain when accessing /OA_HTML/help/state/content/destination./navId.1/navvSetId.iHelp/.
Oracle’s advisory includes IOCs such as malicious IP addresses, observed commands, and filenames, underscoring evidence of in-the-wild exploitation.
The technical alignment between CrowdStrike’s telemetry and the published POC strongly supports the conclusion that a novel zero-day underpins the campaign.
Implications and Recommendations
CrowdStrike Intelligence warns that the October 3 public disclosure of the POC and the prompt release of Oracle’s patch will almost certainly motivate additional threat actors—especially those familiar with Oracle E-Business Suite—to weaponize the exploit for opportunistic attacks.
Historical trends demonstrate that public POCs accelerate exploit development and broaden the pool of potential attackers, transitioning targeted campaigns into widespread opportunistic intrusions.
Organizations operating Oracle EBS should prioritize the following actions to mitigate risk:


- Apply Oracle’s CVE-2025-61882 security updates immediately.
- Monitor outbound connections from EBS instances to known malicious infrastructure and investigate unexpected network activity.
- Query the xdo_templates_vl database table for unauthorized template entries matching POC references.
- Review sysadmin (UserID 0) and guest (UserID 6) sessions in icx_sessions for anomalies indicative of authentication bypass.
- Consider disabling direct internet access for EBS environments or deploying a web application firewall to filter malicious requests.
By swiftly patching vulnerable instances and implementing vigilant monitoring, organizations can disrupt the exploitation chain and protect sensitive data from emerging zero-day threats in Oracle E-Business Suite.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today