What is Oracle E-Business Suite?
Oracle E-Business Suite (EBS) is one of the world's most widely deployed enterprise ERP platforms, used by large organizations in finance, manufacturing, healthcare, and government to manage financial accounting, supply chain, HR, and customer management. EBS deployments typically contain sensitive financial records, employee data, intellectual property, and contractual information — making them high-value targets for both data theft and extortion.
Overview
CVE-2025-61884 is a server-side request forgery (SSRF) vulnerability in the Oracle Configurator component of Oracle E-Business Suite 12.2. The SSRF in the /OA_HTML/configurator/UiServlet endpoint was exploited as part of a sophisticated attack chain that combines CRLF injection and XSL template injection via Oracle's XDO Template Manager to achieve unauthenticated remote code execution. Mandiant/Google GTIG tracked a large-scale Cl0p-affiliated extortion campaign (UNC5936/FIN11 cluster) that began September 29, 2025, deploying the SAGE malware framework post-exploitation. CISA confirmed active exploitation and flagged ransomwareUse: true.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Oracle E-Business Suite 12.2.3–12.2.14 | Configurator component | Emergency patch October 4, 2025; additional patch October 11, 2025 |
Technical Details
The attack chain exploits multiple vulnerabilities in Oracle EBS's Configurator and Template Manager components:
Step 1 — SSRF via UiServlet (/OA_HTML/configurator/UiServlet):
The return_url parameter is not validated server-side, allowing an unauthenticated attacker to inject arbitrary URLs. The server makes outbound requests to the attacker-specified URL — enabling internal network probing and SSRF against cloud metadata services.
Step 2 — CRLF injection: Carriage return/line feed characters injected into the URL parameter are not sanitized, enabling HTTP response splitting and further manipulation of server-side requests.
Step 3 — XSL template injection via SyncServlet:
Oracle's XDO Template Manager SyncServlet endpoint processes XSL (XSLT) templates. The attacker uploads a malicious XSL template that uses Java reflection (javax.script.ScriptEngineManager) to instantiate and execute JavaScript code server-side, achieving RCE.
SAGE malware framework deployed post-exploitation:
- SAGEGIFT: Java reflective loader
- SAGELEAF: Servlet filter injector for persistent HTTP-based access
- SAGEWAVE: Java downloader for additional payloads
- GOLDVEIN: Java-based downloader for follow-on tools
Discovery
Google Threat Intelligence Group (GTIG) and Mandiant began tracking the active exploitation campaign on September 29, 2025. The exploit chain was leaked publicly on the Telegram channel "SCATTERED LAPSUS$ HUNTERS" on October 3, 2025, triggering an emergency Oracle patch the following day.
Exploitation Context
A large-scale extortion campaign attributed to a UNC5936/FIN11 cluster (Cl0p-affiliated) began September 29, 2025, targeting Oracle EBS customers across finance, healthcare, manufacturing, and government sectors. Hundreds to thousands of compromised third-party accounts were used to send mass extortion emails to executives claiming Oracle EBS data theft. SAGE malware enables persistent access and data exfiltration from EBS environments.
The ransomwareUse: true flag reflects confirmed data theft and extortion operations, not necessarily file-encrypting ransomware deployment.
Remediation
- Apply Oracle emergency patches from October 4 and October 11, 2025 immediately. The CISA deadline was November 10, 2025.
- Follow Oracle's specific mitigation guidance in the security alert — Oracle may require additional configuration steps beyond patch application.
- Hunt for SAGE malware components: look for unexpected Java servlet filter registrations (
web.xmlmodifications), new JSP/JSPX files in the EBS web directories, and unusual outbound Java process connections. - Rotate all EBS credentials: database connection passwords, application user accounts, API integration credentials, and any credentials stored in EBS that could enable lateral movement.
- Review EBS access logs for requests to
/OA_HTML/configurator/UiServletandSyncServletwith unusual parameters from unexpected source IPs. - Engage Oracle support if your EBS installation was internet-accessible during the September–October 2025 window — treat as potentially compromised until forensically cleared.
- Notify legal counsel and compliance teams — EBS stores financial records and employee data; breach notification obligations may apply.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-61884 |
| Vendor / Product | Oracle — E-Business Suite |
| NVD Published | 2025-10-12 |
| NVD Last Modified | 2025-10-27 |
| CVSS 3.1 Score | 7.5 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Severity | HIGH |
| CWE | CWE-22 find similar ↗ |
| CISA KEV Added | 2025-10-20 |
| CISA KEV Deadline | 2025-11-10 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-09-29 | Google GTIG/Mandiant begins tracking mass exploitation campaign |
| 2025-10-03 | Full exploit chain leaked on Telegram channel 'SCATTERED LAPSUS$ HUNTERS' |
| 2025-10-04 | Oracle releases emergency patches |
| 2025-10-12 | CVE published |
| 2025-10-20 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2025-11-10 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Oracle Security Alert for CVE-2025-61884 | Vendor Advisory |
| NVD — CVE-2025-61884 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Mandiant/Google — Oracle E-Business Suite Zero-Day Exploitation | Security Research |
| Bleeping Computer — CISA Confirms Oracle EBS SSRF Flaw Exploitation | News |