A widespread marketing campaign noticed exploiting a novel zero-day vulnerability in Oracle E-Enterprise Suite (EBS) functions, now tracked as CVE-2025-61882.
First noticed on August 9, 2025, this unauthenticated distant code execution (RCE) flaw is being weaponized to bypass authentication, deploy net shells, and exfiltrate delicate information from internet-exposed EBS cases.
CrowdStrike assesses with average confidence that the menace actor GRACEFUL SPIDER is behind the mass exploitation, though proof suggests further actors could also be concerned.
Mass Exploitation Marketing campaign
On September 29, 2025, GRACEFUL SPIDER allegedly despatched Clop-branded emails to a number of organizations claiming profitable information theft from Oracle EBS functions.
Shortly after the October 3, 2025 proof-of-concept (POC) disclosure and Oracle’s patch launch, a Telegram channel submit hinted at collaboration between SCATTERED SPIDER, SLIPPY SPIDER, and the ShinyHunters group.
The submit included a purported EBS exploit with SHA256 hash 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d and criticized GRACEFUL SPIDER’s techniques.
Oracle’s advisory included this PoC as an indicator of compromise (IOC), implying vendor issues over in-the-wild exploitation.
CrowdStrike connects exercise leveraging Java Servlets for preliminary compromise, indicating the POC aligns intently with noticed intrusions.
Regardless of ongoing investigation into the exploit’s provenance and distribution, the timing of public POC launch and patch deployment is prone to spur additional weaponization by adversaries acquainted with Oracle EBS.
The exploit begins with an HTTP POST request to /OA_HTML/SyncServlet, triggering the authentication bypass. Confirmed incidents present adversaries leveraging administrative account privileges inside EBS.
Following bypass, attackers goal the XML Writer Template Supervisor by way of GET /OA_HTML/RF.jsp and POST /OA_HTML/OA.jsp to add a malicious XSLT template.
Instructions embedded within the template execute upon preview, which captures pattern GET and POST requests used to add and preview the payload.
Template names retrieved from the xdo_templates_vl view correspond to TemplateCode URL references.
Profitable template execution establishes an outbound Java course of connection over port 443 to the attacker-controlled infrastructure.
Evaluation signifies this channel is used to load net shells, usually by way of a two-step course of: loading FileUtils.java to obtain a secondary backdoor Log4jConfigQpgsubFilter.java.
The backdoor engages by a doFilter chain on the public endpoint /OA_HTML/assist/state/content material/vacation spot./navId.1/navvSetId.iHelp/, enabling command execution and persistence.
CrowdStrike Intelligence emphasizes that CVE-2025-61882 presents a big distant code execution (RCE) danger to Oracle EBS environments.
Organizations are urged to use the October 4, 2025, patch instantly, audit outbound connections for suspicious exercise, assessment xdo_templates_vl for unauthorized templates, examine icx_sessions for UserID 0 and UserID 6 anomalies, and deploy net software firewalls to guard uncovered EBS providers.
Monitoring for Java course of behaviors according to printed Falcon LogScale and SIEM detection guidelines can additional mitigate ongoing exploitation dangers.
Cyber Consciousness Month Supply: Upskill With 100+ Premium Cybersecurity Programs From EHA’s Diamond Membership: Be part of At present
