CVE-2025-61882

What is Oracle E-Business Suite?

Oracle E-Business Suite (EBS) is one of the world's most widely deployed enterprise resource planning (ERP) platforms, used by thousands of organizations globally for financials, HR, supply chain, and procurement. EBS is deeply integrated into business operations, processing payroll, invoices, purchase orders, and sensitive financial data. It includes Oracle Concurrent Processing (the batch job processing engine) and integrates with Oracle Business Intelligence Publisher (BI Publisher) for reporting. Because EBS holds extremely sensitive financial and HR data and is often accessible over the internet for remote users, it is a high-value target for ransomware and data extortion groups.

Overview

CVE-2025-61882 is a critical improper authentication vulnerability (CWE-287) in Oracle E-Business Suite's BI Publisher Integration component. An unauthenticated remote attacker can exploit a multi-step HTTP request chain to bypass authentication and achieve full remote code execution on Oracle Concurrent Processing servers. The Cl0p ransomware group (Graceful Spider) exploited this as a zero-day starting on 9 August 2025 — approximately two months before Oracle issued an emergency patch. CISA flagged ransomwareUse: true in the KEV entry, and the campaign resulted in data theft and extortion across multiple victim organizations.

Affected Versions

Note: Applying the patch requires the Oracle October 2023 CPU as a prerequisite.

Technical Details

The exploit chain (CWE-287: Improper Authentication) consists of multiple HTTP requests that together bypass authentication and achieve code execution:

1. Authentication bypass: HTTP POST to /OA_HTML/SyncServlet triggers an unauthenticated session initialization flaw, bypassing Oracle's login requirements.
2. Template upload: Requests to /OA_HTML/RF.jsp and /OA_HTML/OA.jsp navigate to Oracle's XML Publisher Template Manager — an administrative reporting tool accessible post-bypass.
3. RCE via XSLT: A malicious XSLT stylesheet is uploaded as a report template. When the template is processed by Oracle's XML Publisher engine, the XSLT executes arbitrary OS commands in the context of the Oracle application server. Alternatively, attackers used UiServlet paths for payload delivery.

Post-exploitation: attackers planted web shells on compromised EBS servers for persistent access, enabling ongoing data exfiltration of financial records, HR data, and business intelligence reports.

Discovery

CrowdStrike identified the zero-day campaign and the vulnerability during incident response engagements. Google Cloud / Mandiant also published independent analysis.

Exploitation Context

Cl0p (Graceful Spider, TA505, FIN11) — a prolific Russian-speaking ransomware and data extortion group — exploited CVE-2025-61882 as a zero-day starting 9 August 2025, approximately two months before Oracle's patch. On 29 September 2025, Cl0p began contacting victim organizations via email, claiming to hold stolen EBS data and threatening publication. Oracle issued an emergency out-of-band patch on 4 October 2025 — a rare move, reflecting the severity of active exploitation. CISA added CVE-2025-61882 to the KEV catalog on 6 October 2025 with the ransomwareUse: true flag. Cl0p's EBS campaign follows its prior mass-exploitation of MOVEit (2023) and GoAnywhere (2023), continuing the group's pattern of targeting enterprise data repositories.

Remediation

1. Apply Oracle's emergency patch immediately — download from Oracle Support (MOS) and follow the installation guide. Note the prerequisite: the Oracle October 2023 CPU must be applied first.
2. Verify patch application using Oracle's patch detection tools to ensure all components (BI Publisher, Concurrent Processing, SyncServlet) are updated.
3. Hunt for web shells: search the EBS application server directories for unexpected .jsp, .war, or script files, particularly in OA_HTML and related directories.
4. Review access logs for requests to /OA_HTML/SyncServlet, /OA_HTML/RF.jsp, and UiServlet from unexpected source IPs — especially if occurring before October 2025.
5. Check for new OS-level files or scheduled tasks planted by attackers on the Concurrent Processing tier.
6. Restrict internet access to Oracle EBS — the application should not be directly internet-accessible. Place it behind a reverse proxy with MFA enforced.
7. Engage Oracle Support and CrowdStrike / Mandiant if compromise is suspected — specialized EBS forensic expertise is needed for thorough investigation.