Full Report
CrowdStrike on Monday said it's attributing the exploitation of a recently disclosed security flaw in Oracle E-Business Suite with moderate confidence to a threat actor it tracks as Graceful Spider (aka Cl0p), and that the first known exploitation occurred on August 9, 2025. The malicious activity involves the exploitation of CVE-2025-61882 (CVSS score: 9.8), a critical vulnerability that
Analysis Summary
# Vulnerability: Critical Remote Code Execution in Oracle E-Business Suite Exploited by Cl0p
## CVE Details
- CVE ID: CVE-2025-61882
- CVSS Score: 9.8 (Critical)
- CWE: Not explicitly listed, but derived from RCE capability.
## Affected Systems
- Products: Oracle E-Business Suite (EBS)
- Versions: Specific vulnerable versions are not listed, implied by the patch rush.
- Configurations: Internet-exposed Oracle EBS instances.
## Vulnerability Description
CVE-2025-61882 is a critical vulnerability in Oracle E-Business Suite that allows for **Remote Code Execution (RCE) without authentication**. The exploitation chain involves:
1. Sending a specially crafted HTTP request to `/OA_HTML/SyncServlet` which bypasses authentication.
2. The attacker then uses GET/POST requests against `/OA_HTML/RF.jsp` and `/OA_HTML/OA.jsp` to upload and execute a malicious XSLT template via Oracle's XML Publisher Template Manager.
3. When the malicious template is previewed, it executes JavaScript code to establish a reverse shell connection (over port 443) back to the attacker's listener, allowing post-exploitation activities such as dropping web shells and establishing persistence.
## Exploitation
- Status: Exploited in the wild (Attributed to threat actor Graceful Spider/Cl0p, first known exploitation on August 9, 2025). PoC information is implied due to observed actor activity and alleged sharing on Telegram.
- Complexity: Implied to be high skill based on the complexity of the exploit chain mentioned, though the initial access appears unauthenticated.
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Likely data exfiltration observed)
- Integrity: High (Ability to execute arbitrary code and establish persistence)
- Availability: High (Potential for system disruption via web shells and post-exploitation activity)
## Remediation
### Patches
- Oracle rushed a patch for CVE-2025-61882. *Note: Specific patch versions were not detailed in the source material.*
### Workarounds
- No explicit workarounds were detailed in the summary, but immediate patching is strongly implied given the exploit activity. Mitigation relies on preventing exploitation via `/OA_HTML/SyncServlet` and related components.
## Detection
- Indicators of Compromise: Outbound connections from the Java web server process (originating from EBS components like `/OA_HTML/RF.jsp` or `/OA_HTML/OA.jsp`) over port 443 to external IP addresses, often carrying reverse shell traffic.
- Detection methods and tools: Monitoring application logs for suspicious requests to `/OA_HTML/SyncServlet` and XML Publisher endpoints. Behavioral analysis tools (like CrowdStrike identified) can detect the abnormal outbound communication by the Java process.
## References
- Vendor Advisory: Oracle rushed patch for CVE-2025-61882 (Implied via links regarding the patch release).
- Relevant links:
- hxxps://www.crowdstrike.com/en-us/blog/crowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882/
- hxxps://www.rapid7.com/blog/post/etr-cve-2025-61882-critical-0day-in-oracle-e-business-suite-exploited-in-the-wild/
- hxxps://www.resecurity.com/blog/article/cve-2025-61882-mass-exploitation-oracle-e-business-suite-ebs-under-attack-by-cl0p-ransomware/