Oracle EBS Under Fire as Cl0p Exploits CVE-2025-61882 in Real-World Attacks


Oct 07, 2025Ravie LakshmananCyber Attack / Ransomware

CrowdStrike on Monday said it’s attributing the exploitation of a recently disclosed security flaw in Oracle E-Business Suite with moderate confidence to a threat actor it tracks as Graceful Spider (aka Cl0p), and that the first known exploitation occurred on August 9, 2025.

The exploitation involves the exploitation of CVE-2025-61882 (CVSS score: 9.8), a critical vulnerability that facilitates remote code execution without authentication.

The cybersecurity company also noted that it’s currently not known how a Telegram channel “insinuating” collaboration between Scattered Spider, LAPSUS$ (aka Slippy Spider), and ShinyHunters came into the possession of an exploit for the flaw, and if they and other threat actors have leveraged it in real-world attacks.

The Telegram channel has been observed sharing the purported Oracle EBS exploit, while criticizing Graceful Spider’s tactics.

DFIR Retainer Services

The observed activity so far involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. The attacker then targets Oracle’s XML Publisher Template Manager by issuing GET and POST requests to /OA_HTML/RF.jsp and /OA_HTML/OA.jsp to upload and execute a malicious XSLT template,

The commands in the malicious template are executed when it is previewed, resulting in an outbound connection from the Java web server process to attacker-controlled infrastructure over port 443. The connection is subsequently used to remotely load web shells to execute commands and establish persistence.

It’s believed that one or more threat actors are in possession of the CVE-2025-61882 exploit for purposes of data exfiltration.

“The proof-of-concept disclosure and the CVE-2025-61882 patch release will almost certainly encourage threat actors – particularly those familiar with Oracle EBS — to create weaponized POCs and attempt to leverage them against internet-exposed EBS applications,” it said.

In a separate analysis, WatchTowr Labs said, “The chain demonstrates a high level of skill and effort, with at least five distinct bugs orchestrated together to achieve pre-authenticated remote code execution.” The entire sequence of events is as follows –

  • Send an HTTP POST request containing a crafted XML to /OA_HTML/configurator/UiServlet to coerce the backend server to send arbitrary HTTP requests by means of a Server-Side Request Forgery (SSRF) attack
  • Use a Carriage Return/Line Feed (CRLF) Injection to inject arbitrary headers into the HTTP request triggered by the pre-authenticated SSRF
  • Use this vulnerability to smuggle requests to an internet-exposed Oracle EBS application via “apps.example.com:7201/OA_HTML/help/../ieshostedsurvey.jsp” and load a malicious XSLT template

The attack, at its core, takes advantage of the fact that the JSP file can load an untrusted stylesheet from a remote URL, opening the door for an attacker to achieve arbitrary code execution.

“This combination lets an attacker control request framing via the SSRF and then reuse the same TCP connection to chain additional requests, increasing reliability and reducing noise,” the company said. “HTTP persistent connections, also known as HTTP keep-alive or connection reuse, let a single TCP connection carry multiple HTTP request/response pairs instead of opening a new connection for every exchange.”

CIS Build Kits

CVE-2025-61882 has since been added to the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity and Infrastructure Security Agency (CISA), noting that it has been used in ransomware campaigns, urging federal agencies to apply the fixes by October 27, 2025.

“Cl0p has been exploiting multiple vulnerabilities in Oracle EBS since at least August 2025, stealing large amounts of data from several victims, and has been sending extortion emails to some of those victims since last Monday,” Jake Knott, principal security researcher at watchTowr, said in a statement.

“Based on the evidence, we believe this is Cl0p activity, and we fully expect to see mass, indiscriminate exploitation from multiple groups within days. If you run Oracle EBS, this is your red alert. Patch immediately, hunt aggressively, and tighten your controls — fast.”



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.