CRITICAL ALERT: Oracle E-Business Suite Zero-Day Vulnerability, CVE-2025-61882, Under Active Exploitation!

Overview

Oracle has just disclosed that a critical zero-day vulnerability, tracked as CVE-2025-61882, has been identified in Oracle E-Business
Suite (EBS) and is currently being exploited in the wild. This flaw enables unauthenticated Remote Code Execution (RCE) and has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, indicating an urgency for immediate action.

The Threat

The successful exploitation of CVE-2025-61882 can lead to Remote Code Execution (RCE), allowing attackers to compromise the entire system, potentially exposing credentials (including via password reset malfunctions), and resulting in significant data loss. Given that Oracle EBS handles critical business operations like finance, HR, and procurement, a compromise can be lethal, leading to data exfiltration, regulatory breaches, and operational shutdowns.

• CVSS Score: 9.8 (Critical).
• Affected Versions: Oracle E-Business Suite versions 12.2.3 through 12.2.14.
• Active Exploitation: The vulnerability was used as a zero-day and is currently being exploited in the wild, including in suspected ransomware campaigns.
• Attack Surface: Exposed Oracle E-Business Suite instances accessible over the internet are at the highest risk.

Cl0p Attack Group and Early Exploitation

The urgency surrounding CVE-2025-61882 has significantly increased due to its association with the notorious Cl0p ransomware gang. Threat intelligence, including reports from Charles Carmakal, CTO of Mandiant Consulting, a unit of Google Cloud, suggests Cl0p was exploiting this flaw as a zero-day as early as August 2025.

Cl0p is known for leveraging zero-days, such as their widespread exploitation of the MOVEit file transfer product in 2023. This track record, combined with the criticality of the Oracle E-Business Suite, necessitates immediate action.

The Exploit Chain: A Technical Breakdown

The complexity and skill demonstrated in this exploit chain are notable. The path to Pre-Auth RCE is achieved by chaining five key stages:

1. Server-Side Request Forgery (SSRF): An unauthenticated, crafted XML request is sent to the /configurator/UiServlet endpoint. This request abuses a weakness to coerce the backend server into making an arbitrary HTTP request, giving the attacker control over the URL.
2. Carriage Return/Line Feed (CRLF) Injection: By using HTML-coded newline characters (
) within the SSRF-controlled URL, the attacker is able to inject arbitrary HTTP headers into the subsequent request made by the server.
3. HTTP Persistent Connection Reuse: The attacker leverages the CRLF injection and HTTP persistent connections (keep-alive) to control the request framing and reuse the TCP connection for subsequent requests, increasing reliability. This transforms the original GET-based SSRF into a POST-capable SSRF.
4. Authentication Filter Bypass: The POST-capable SSRF is directed at the internal HTTP service on port 7201/TCP (reachable because Oracle EBS exposes its internal IP via /etc/hosts and the hostname apps.example.com). The exploit chain uses a path traversal technique (/OA_HTML/help/../) to bypass an internal Java application filter that blocks access to sensitive JSPs without authentication.
5. XSL Transformation (XSLT) RCE: The path traversal bypass grants access to the ieshostedsurvey.jsp file. This file dangerously constructs a URL to download an XSL stylesheet (ieshostedsurvey.xsl) using the attacker-controlled Host: header from the incoming request. Because XSLT processing in Java can invoke extension functions, loading an untrusted XSL stylesheet from the attacker’s server results in Arbitrary Remote Code Execution.

Immediate Recommendations

Oracle has issued an advisory and released necessary patches. Due to the critical nature and active exploitation, immediate action is mandatory:

1. Prioritize and Apply Patches Immediately: Apply Oracle’s security updates for affected versions 12.2.3 through 12.2.14 immediately.
2. Harden Network and Access Controls: Ensure Oracle E-Business Suite is not excessively exposed to the internet. Limit access via VPNs, strong authentication, and strict network segmentation.
3. Enhance Threat Detection and Hunting: Implement detection rules in your SIEM/EDR for:
   • Suspicious HTTP traffic directed at the Oracle Concurrent Processing component.
   • Anomalous authentication or unusual process creation patterns from Oracle services.
   • Traffic smuggling attempts, particularly HTTP requests that involve CRLF injection and connection reuse.
4. Strengthen Incident Response Protocol: Ensure your Incident Response teams are prepared to identify and contain attacks targeting Oracle EBS. Focus on immediate alerts related to the BI Publisher Integration component showing unusual activity, or any indicators of a potentially successful exploitation.
5. Address Supply Chain Risk: Conduct a rapid review of your third- and fourth-party vendors to check their exposure to vulnerable Oracle EBS versions, as a compromise in their environment could easily cascade to your organization.

How XM Cyber Can Help with CVE-2025-61882

XM Cyber continually monitors your entire infrastructure. Our research team has developed a technique to help customers identify the CVE-2025-61882 vulnerability within their environments.

XM Cyber’s External Attack Surface Management (XM EASM) enables testing of which external-facing machines are vulnerable to this risk. Utilizing continuous monitoring, automated scanning, and real-time data, XM Cyber EASM discovers and alerts vulnerable versions of Oracle E-Business Suite. If any are detected, the platform uniquely maps the end-to-end attack path from the external-facing EBS instances to the internal network in order to highlight any additional critical assets that are compromised by them, and provides step-by-step guidance on how to address them.

The XM Cyber Continuous Exposure Management Platform enables customers to clearly understand how this vulnerability, along with other exposures such as misconfigurations and identity issues, can be combined by attackers to compromise their critical assets. This allows proactive, prioritized action along potential attack paths, focusing on choke points where multiple paths converge before reaching critical assets.

As this is an emerging situation, we will update this post as more information becomes available.