Hive Force Labs: October First Threat Research
Play Count: Loading... Hive Force Labs: October First Threat Research Play Count: Loading...A critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS) has been actively exploited in the wild since August 2025, posing a severe threat to enterprise environments. The flaw resides in the BI Publisher Integration component of Oracle EBS versions 12.2.3–12.2.14 and carries a CVSS v3.1 score of 9.8. It enables unauthenticated remote code execution (RCE) through crafted HTTP POST requests and malicious XSLT uploads, resulting in complete system compromise across financial, HR, and supply chain systems.
The vulnerability is being actively exploited by Cl0p ransomware operators, with confirmed involvement of threat groups Scattered Spider, ShinyHunters, and LAPSUS$. Following the October 2025 leak of a public proof-of-concept (PoC) by the “Scattered Lapsus$ Hunters” collective, exploitation surged dramatically. Attackers now perform mass scanning and automated exploitation of exposed Oracle EBS instances, leading to data theft, credential exfiltration, and double extortion campaigns.
CVE-2025-61882 underscores the urgency for enterprises relying on Oracle EBS to patch immediately, as internet-facing deployments remain particularly vulnerable to ongoing automated attacks.
The Oracle EBS Concurrent Processing component contains an input validation flaw within the BI Publisher Integration engine. Attackers exploit this by sending crafted HTTP POST requests to specific Oracle EBS endpoints, bypassing authentication and uploading malicious XSLT templates. These templates, when processed by the BI Publisher service, execute arbitrary code on the Java web server, enabling remote command execution and system takeover.
Once compromised, systems often establish outbound HTTPS connections (port 443) to attacker-controlled servers, facilitating persistence, lateral movement, and command execution. The simplicity of exploitation has resulted in widespread scanning activity, making unpatched systems high-value targets for ransomware operators and opportunistic attackers alike.
Key Technical Identifiers:
CVE ID: CVE-2025-61882
CWE IDs: CWE-22 (Path Traversal), CWE-444 (HTTP Request Smuggling)
CPE: cpe:2.3:a:oracle:concurrent_processing::::::::
Affected Versions: Oracle EBS 12.2.3 to 12.2.14
Attack Vector: Remote / Unauthenticated HTTP Exploitation
Impact: Full system compromise, data theft, and operational disruption.
Patch Immediately: Apply Oracle’s Critical Patch Update (CPU) for all affected EBS versions (12.2.3–12.2.14). Confirm successful installation by validating patch logs and version outputs.
Restrict Network Exposure: Block external access to Oracle EBS endpoints (/OA_HTML/SyncServlet, /OA_HTML/RF.jsp, /OA_HTML/OA.jsp) and isolate them behind internal networks or VPNs.
Monitor for Exploitation Indicators: Detect suspicious POST requests, web shell deployments, unexpected HTTPS traffic, and unusual BI Publisher activity via SIEM or EDR tools.
Implement Access Control & Hardening: Enforce least privilege for administrative users, disable legacy BI Publisher features, and audit all privileged account activity.
Prerequisite Patching: Ensure the October 2023 Critical Patch Update (CPU) is applied before installing the CVE-2025-61882 fix
IPv4 Addresses
200[.]107[.]207[.]26
185[.]181[.]60[.]11
SHA256 Hashes
76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d
aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121
6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b
Tactics
TA0001 Initial Access
TA0002 Execution
TA0003 Persistence
TA0004 Privilege Escalation
TA0005 Defense Evasion
TA0006 Credential Access
TA0007 Discovery
TA0008 Lateral Movement
TA0010 Exfiltration
TA0040 Impact
TA0042 Resource Development
Techniques
T1190 – Exploit Public-Facing Application
T1203 – Exploitation for Client Execution
T1059 – Command and Scripting Interpreter
T1071 / T1071.001 – Application Layer and Web Protocols
T1105 – Ingress Tool Transfer
T1505 / T1505.003 – Server Software Component / Web Shell
T1588 / T1588.005 / T1588.006 – Obtain Capabilities: Exploits & Vulnerabilities
T1068 – Exploitation for Privilege Escalation
T1078 – Valid Accounts
T1210 – Exploitation of Remote Services
T1041 – Exfiltration Over C2 Channel
T1486 – Data Encrypted for Impact
Get through updates and upcoming events, and more directly in your inbox
