CrowdStrike ties Oracle EBS RCE (CVE-2025-61882) to Cl0p attacks began Aug 9, 2025

CrowdStrike links Oracle EBS flaw CVE-2025-61882 (CVSS 9.8) to Cl0p, enabling unauthenticated RCE, first exploited on August 9, 2025.

CrowdStrike researchers attributed with moderate confidence the exploitation of Oracle E-Business Suite flaw CVE-2025-61882 (CVSS 9.8) to the Cl0p group, also known as Graceful Spider. The critical bug allows unauthenticated remote code execution, with the first known attacks traced back to August 9, 2025.

“CrowdStrike Intelligence assesses with moderate confidence that GRACEFUL SPIDER is likely involved in this campaign but cannot rule out the possibility that multiple threat actors have exploited CVE-2025-61882.” reads the report published by CrowdStrike. “The first known exploitation occurred on August 9, 2025; however, investigations remain ongoing, and this date is subject to change. “

This week Oracle released an emergency patch to address this critical flaw in its E-Business Suite.

“Updated [10/04/2025]: Oracle has issued Oracle Security Alert Advisory – CVE-2025-61882 to provide updates against additional potential exploitation that were discovered during our investigation.” reads the alert published by the company. “We strongly recommend Oracle E-Business Suite (EBS) customers apply the guidance provided by this Security Alert as soon as possible.”

The flaw was exploited by the Cl0p ransomware group in data theft attacks. Unauthenticated remote attackers can exploit the flaw to take control of the Oracle Concurrent Processing component.

CVE-2025-61882 affects Oracle E-Business Suite 12.2.3–12.2.14 (BI Publisher Integration), experts warn it is easily exploitable via HTTP.

“This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in remote code execution.” reads the advisory. “Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.”

CrowdStrike warns that the disclosure of a POC on October 3 and Oracle’s CVE-2025-61882 patch will almost certainly spur threat actors, especially those familiar with Oracle EBS, to develop weaponized POCs and target Internet-exposed EBS instances.

On September 29, 2025 the Cl0p group emailed organizations claiming Oracle EBS data theft. On October 3 a Telegram channel tied to Scattered Spider, Slippy Spider (Lapsus$) and ShinyHunters posted a purported Oracle EBS exploit and criticized the Cl0p group. Origin and reuse are unclear, however Oracle published the POC as an IOC and it aligns with observed servlet-based exploitation.

“While analysis is ongoing, the purported POC appears to align with at least some of the observed exploitation, including activity leveraging Java Servlets for exploitation.” continues Crowdstrike.

Crowdstrike observed activity starting with an HTTP POST to /OA_HTML/SyncServlet to bypass authentication (sometimes abusing an admin EBS account). Attackers then target Oracle’s XML Publisher Template Manager, using /OA_HTML/RF.jsp and /OA_HTML/OA.jsp to upload a malicious XSLT template whose preview executes commands. Template names in xdo_templates_vl match URL references.
Successful execution opens an outbound TLS (port 443) connection to attacker infrastructure, used to load web shells for command execution and persistence.

In some cases, attackers use two files: FileUtils.java, which downloads the second file, and Log4jConfigQpgsubFilter.java, which acts as the backdoor. Together, they install a web shell that is triggered when someone visits a public help URL (/OA_HTML/help/...). The web shell runs code directly in memory, letting the attacker execute commands without writing files to disk.

“CrowdStrike Intelligence assesses that one or more threat actors have almost certainly leveraged a novel zero-day vulnerability (now tracked as CVE-2025-61882) in the mass exploitation campaign discussed in this article. This assessment is made with high confidence based on the observed exploitation, an initial review of the uploaded POC, and Oracle’s October 4, 2025 security advisory.” concludes Crowdstrike.

Resecurity’s HUNTER team released a separated, comprehensive analysis of malicious payloads planted by threat actors in the result of exploitation. CL0P’s attacks exploit a server-side chain, using SSRF and CRLF injection to force EBS servers to fetch and execute malicious XSL payloads, achieving remote code execution (RCE) without disk-based artifacts. Attackers also leverage compromised mailboxes to abuse EBS local-account password-reset flows, bypassing SSO/MFA protections to steal credentials and exfiltrate sensitive data.

This week, US CISA also added the vulnerability CVE-2025-61882 to its Known Exploited Vulnerabilities catalog. CISA orders federal agencies to fix the flaw by October 27, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Oracle)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter