Oracle Quietly Patches Critical Zero-Day Exposed by Hackers
▼ Summary
– Oracle silently fixed CVE-2025-61884, a pre-authentication SSRF vulnerability in Oracle E-Business Suite that was actively exploited and had a public proof-of-concept exploit leaked by ShinyHunters.
– The Clop ransomware gang exploited a different Oracle EBS flaw in data theft attacks, which Oracle initially claimed was a patched July 2025 vulnerability but later addressed with an emergency patch for CVE-2025-61882.
– Oracle’s advisory for CVE-2025-61882 incorrectly listed indicators of compromise from the ShinyHunters exploit, creating confusion about which vulnerabilities corresponded to which exploits.
– Researchers confirmed the weekend security update for CVE-2025-61884 fixed the SSRF component of the leaked exploit by validating attacker-supplied URLs with strict regular expressions.
– Oracle repeatedly declined to comment on the active exploitation, patch details, or mismatched indicators, leaving customers and researchers to rely on independent analysis for clarification.
Oracle has urgently addressed a critical security vulnerability within its Oracle E-Business Suite, identified as CVE-2025-61884, following its active exploitation by cybercriminals. The flaw, a pre-authentication Server-Side Request Forgery (SSRF), was publicly exposed when the ShinyHunters extortion group leaked a functional proof-of-concept exploit. Oracle responded with an out-of-band security update over the weekend, warning that the vulnerability could allow unauthorized access to sensitive resources without requiring login credentials. Despite these actions, the company did not initially disclose that attacks were already underway or that a working exploit had been made public.
Multiple cybersecurity researchers and customers, along with BleepingComputer, verified that the recent update resolves the SSRF issue targeted by the leaked exploit. Oracle’s advisory states the vulnerability is “remotely exploitable without authentication,” potentially enabling attackers to reach protected assets over the network. However, Oracle repeatedly declined to comment when asked about the active exploitation and its delayed public acknowledgment.
The situation is further complicated by a separate extortion campaign traced to the Clop ransomware group, which claimed to have exploited a different Oracle EBS flaw in data theft attacks. Clop informed BleepingComputer they were responsible for emails sent to companies alleging data breaches, boasting they had uncovered a new Oracle vulnerability. Oracle initially responded by stating Clop was exploiting a flaw patched in July 2025 and urged customers to install the latest Critical Patch Updates.
Shortly afterward, a second threat actor collective known as Scattered Lapsus$ Hunters, or ShinyHunters, released their own Oracle EBS exploit via Telegram, using it to extort Salesforce customers. Oracle later confirmed a new zero-day, CVE-2025-61882, and issued an emergency patch on October 5. Notably, Oracle’s advisory included indicators of compromise linked to the ShinyHunters exploit, implying a connection between the two incidents.
Security researchers from watchTowr Labs analyzed the ShinyHunters exploit and confirmed it could achieve unauthenticated remote code execution, primarily targeting the “/configurator/UiServlet” endpoint. Meanwhile, reports from CrowdStrike and Mandiant detailed a separate exploit chain used by Clop, which targeted the “/OA_HTML/SyncServlet” endpoint instead. Mandiant noted that while the October 4 patch for CVE-2025-61882 referenced the UiServlet exploit, they had observed multiple distinct attack chains and could not definitively link them to a single vulnerability.
Analysis of Oracle’s patch for CVE-2025-61882 revealed that it neutralized the Clop exploit by stubbing out the SYNCSERVLET class and implementing mod_security rules to block access to the SyncServlet endpoint and related malicious templates. However, the same update did not address the vulnerability exploited by ShinyHunters, even though it was listed among the IOCs. After installing the patch, researchers confirmed the SSRF portion of the ShinyHunters exploit remained functional.
This past weekend’s update for CVE-2025-61884 finally resolved the SSRF issue by validating attacker-supplied “return_url” parameters using a strict regular expression. Requests containing injected CRLF characters are now blocked, effectively neutralizing this component of the exploit. Despite these fixes, the reasoning behind Oracle’s initial mismatched indicators and staggered patching remains unclear.
In summary, two distinct exploits have been in circulation: one used by Clop, analyzed by Mandiant and CrowdStrike and addressed under CVE-2025-61882, and the other leaked by ShinyHunters, analyzed by watchTowr Labs and patched under CVE-2025-61884. Oracle has not provided clarification on its patching strategy or the confusion surrounding the IOCs. Mandiant, CrowdStrike, and watchTowr Labs all deferred questions back to Oracle, which has continued to withhold comment.
Oracle E-Business Suite customers are strongly urged to install all recent security updates immediately, especially since technical details and exploit chains are now publicly accessible. For organizations unable to patch right away, implementing a mod_security rule to block access to the “/configurator/UiServlet” endpoint can mitigate the SSRF risk until the update is applied.
(Source: Bleeping Computer)
