Threat Advisories:
🎧 Hive Force Labs: October First Threat Research
👥 Play Count: Loading...

CVE-2025-61882: Oracle EBS Zero-Day Actively Exploited in the Wild

Red | Vulnerability Report
Download PDF

CVE-2025-61882: Oracle EBS Zero-Day Actively Exploited in the Wild

Summary

A critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS) has been actively exploited in the wild since August 2025, posing a severe threat to enterprise environments. The flaw resides in the BI Publisher Integration component of Oracle EBS versions 12.2.3–12.2.14 and carries a CVSS v3.1 score of 9.8. It enables unauthenticated remote code execution (RCE) through crafted HTTP POST requests and malicious XSLT uploads, resulting in complete system compromise across financial, HR, and supply chain systems.

The vulnerability is being actively exploited by Cl0p ransomware operators, with confirmed involvement of threat groups Scattered Spider, ShinyHunters, and LAPSUS$. Following the October 2025 leak of a public proof-of-concept (PoC) by the “Scattered Lapsus$ Hunters” collective, exploitation surged dramatically. Attackers now perform mass scanning and automated exploitation of exposed Oracle EBS instances, leading to data theft, credential exfiltration, and double extortion campaigns.

CVE-2025-61882 underscores the urgency for enterprises relying on Oracle EBS to patch immediately, as internet-facing deployments remain particularly vulnerable to ongoing automated attacks.


Vulnerability Details

The Oracle EBS Concurrent Processing component contains an input validation flaw within the BI Publisher Integration engine. Attackers exploit this by sending crafted HTTP POST requests to specific Oracle EBS endpoints, bypassing authentication and uploading malicious XSLT templates. These templates, when processed by the BI Publisher service, execute arbitrary code on the Java web server, enabling remote command execution and system takeover.

Once compromised, systems often establish outbound HTTPS connections (port 443) to attacker-controlled servers, facilitating persistence, lateral movement, and command execution. The simplicity of exploitation has resulted in widespread scanning activity, making unpatched systems high-value targets for ransomware operators and opportunistic attackers alike.

Key Technical Identifiers:

  • CVE ID: CVE-2025-61882

  • CWE IDs: CWE-22 (Path Traversal), CWE-444 (HTTP Request Smuggling)

  • CPE: cpe:2.3:a:oracle:concurrent_processing::::::::

  • Affected Versions: Oracle EBS 12.2.3 to 12.2.14

  • Attack Vector: Remote / Unauthenticated HTTP Exploitation

  • Impact: Full system compromise, data theft, and operational disruption.


Recommendations

  • Patch Immediately: Apply Oracle’s Critical Patch Update (CPU) for all affected EBS versions (12.2.3–12.2.14). Confirm successful installation by validating patch logs and version outputs.

  • Restrict Network Exposure: Block external access to Oracle EBS endpoints (/OA_HTML/SyncServlet, /OA_HTML/RF.jsp, /OA_HTML/OA.jsp) and isolate them behind internal networks or VPNs.

  • Monitor for Exploitation Indicators: Detect suspicious POST requests, web shell deployments, unexpected HTTPS traffic, and unusual BI Publisher activity via SIEM or EDR tools.

  • Implement Access Control & Hardening: Enforce least privilege for administrative users, disable legacy BI Publisher features, and audit all privileged account activity.

  • Prerequisite Patching: Ensure the October 2023 Critical Patch Update (CPU) is applied before installing the CVE-2025-61882 fix


Indicators of Compromise (IoCs)

IPv4 Addresses

  • 200[.]107[.]207[.]26

  • 185[.]181[.]60[.]11

SHA256 Hashes

  • 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d

  • aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121

  • 6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b


MITRE ATT&CK TTPs

Tactics

  • TA0001 Initial Access

  • TA0002 Execution

  • TA0003 Persistence

  • TA0004 Privilege Escalation

  • TA0005 Defense Evasion

  • TA0006 Credential Access

  • TA0007 Discovery

  • TA0008 Lateral Movement

  • TA0010 Exfiltration

  • TA0040 Impact

  • TA0042 Resource Development

Techniques

  • T1190 – Exploit Public-Facing Application

  • T1203 – Exploitation for Client Execution

  • T1059 – Command and Scripting Interpreter

  • T1071 / T1071.001 – Application Layer and Web Protocols

  • T1105 – Ingress Tool Transfer

  • T1505 / T1505.003 – Server Software Component / Web Shell

  • T1588 / T1588.005 / T1588.006 – Obtain Capabilities: Exploits & Vulnerabilities

  • T1068 – Exploitation for Privilege Escalation

  • T1078 – Valid Accounts

  • T1210 – Exploitation of Remote Services

  • T1041 – Exfiltration Over C2 Channel

  • T1486 – Data Encrypted for Impact


References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox