CrowdStrike Identifies Campaign Targeting Oracle E-Business Suite via Zero-Day Vulnerability (now tracked as CVE-2025-61882)

CrowdStrike is tracking a mass exploitation campaign almost certainly leveraging a novel zero-day vulnerability — now tracked as CVE-2025-61882 — targeting Oracle E-Business Suite (EBS) applications for the purposes of data exfiltration. 

CrowdStrike Intelligence assesses with moderate confidence that GRACEFUL SPIDER is likely involved in this campaign but cannot rule out the possibility that multiple threat actors have exploited CVE-2025-61882. The first known exploitation occurred on August 9, 2025; however, investigations remain ongoing, and this date is subject to change. 

CrowdStrike Intelligence further assesses that the October 3, 2025 proof-of-concept (POC) disclosure and the CVE-2025-61882 patch release will almost certainly encourage threat actors — particularly those familiar with Oracle EBS — to create weaponized POCs and attempt to leverage them against internet-exposed EBS applications.

Details

On September 29, 2025, GRACEFUL SPIDER emailed multiple organizations and claimed they had accessed and exfiltrated data from the victim’s Oracle EBS applications.

In an October 3, 2025 post in one of the Telegram channels insinuating collaboration between SCATTERED SPIDER, SLIPPY SPIDER, and ShinyHunters — a channel participant posted a purported Oracle EBS exploit (SHA256 hash: 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d). In their post, the member criticized GRACEFUL SPIDER’s tactics.

How the poster obtained the exploit and whether this actor or any other actors associated with the channel have leveraged this exploit is unclear. Oracle published this POC as an indicator of compromise (IOC) in its CVE-2025-61882 disclosure, suggesting the vendor assesses that the POC has been or may be used for CVE-2025-61882 exploitation. While analysis is ongoing, the purported POC appears to align with at least some of the observed exploitation, including activity leveraging Java Servlets for exploitation.

Unauthenticated RCE Vulnerability (CVE-2025-61882)

On October 4, 2025, Oracle publicly disclosed CVE-2025-61882, a vulnerability impacting Oracle EBS that can result in unauthenticated remote code execution (RCE). While Oracle’s advisory did not explicitly state this vulnerability has been exploited in the wild (ITW), Oracle provided IOCs (such as IP addresses, observed commands, and files) suggesting ITW exploitation.¹

CVE-2025-61882 appears to align with at least some of the exploitation activity CrowdStrike has analyzed thus far.

Authentication Bypass

The observed activity appears to begin with an HTTP POST request to /OA_HTML/SyncServlet, which initiates the authentication-bypass portion of a multi-step exploit chain. On at least one confirmed occasion, authentication bypass was related to an administrative account within EBS. 

Code Execution 

To achieve code execution, the adversary targeted Oracle’s XML Publisher Template Manager by issuing GET and POST requests to /OA_HTML/RF.jsp and /OA_HTML/OA.jsp to upload and execute a malicious XSLT template. Commands in the malicious template are executed when the malicious template is previewed. Figure 1 documents example GET and POST requests used to upload and preview a malicious template.

Figure 1. POST request to preview malicious template

Observed template names retrieved from xdo_templates_vl match the URL references for the TemplateCode (Figure 2).

Figure 2. Example template code references

Successful template execution establishes an outbound connection from the Java web server process to attacker-controlled infrastructure over port 443. 

Web Shell Deployment

Initial analysis indicates that, in most incidents, the adversary leveraged the aforementioned outbound connection to remotely load web shell(s) to execute commands and establish persistence. Precisely how this was accomplished is still under investigation.

In one incident, the adversary appears to have set up a similar web shell via a different two-step process:

Loads FileUtils.java
This file in turn loads Log4jConfigQpgsubFilter.java

While analysis is ongoing, these files appear to set up a web shell, with FileUtils.java serving as the downloader and Log4jConfigQpgsubFilter.java serving as the backdoor. 

The web shell is invoked via a doFilter / filter chain to invoke the memory resident code that is executed when accessing the public facing endpoint /OA_HTML/help/state/content/destination./navId.1/navvSetId.iHelp/.

Assessment

CrowdStrike Intelligence assesses that one or more threat actors have almost certainly leveraged a novel zero-day vulnerability (now tracked as CVE-2025-61882) in the mass exploitation campaign discussed in this article. This assessment is made with high confidence based on the observed exploitation, an initial review of the uploaded POC, and Oracle’s October 4, 2025 security advisory.

GRACEFUL SPIDER likely sent the Clop-branded emails victims received on September 29, 2025, and the adversary has likely exploited EBS applications for the purpose of data exfiltration. Both assessments are made with moderate confidence based on the following evidence: 

• Emails sent to victims reference GRACEFUL SPIDER’s known email addresses (support[@]pubstorm[.]com and support[@]pubstorm[.]net) and the adversary’s CLOP team moniker

• GRACEFUL SPIDER has reportedly provided evidence that they have access to stolen files

• The adversary has previously conducted several mass exploitation campaigns targeting internet-exposed applications

However, CrowdStrike Intelligence cannot rule out the possibility that multiple threat actors are exploiting EBS applications for the purposes of data exfiltration given there may be additional vectors for targeting the root cause, and the purported exploit posted on Telegram adds to the uncertainty surrounding whether multiple actors are exploiting these applications. CrowdStrike Intelligence’s investigation into the root cause of CVE-2025-61882 remains ongoing. 

CrowdStrike Intelligence further assesses that the POC disclosure and the CVE-2025-61882 patch release will almost certainly encourage threat actors — particularly those familiar with Oracle EBS — to create weaponized POCs and attempt to leverage them against internet-exposed EBS applications. This assessment is made with moderate confidence based on the historical precedent of threat actors leveraging public POCs as well as the often observed transition from targeted exploitation to opportunistic exploitation following vulnerability disclosures and accompanying media and industry attention. 

Recommendations

These recommendations can be implemented to help protect against the activity described in this report:

• Oracle strongly recommends applying the updates related to CVE-2025-61882 as soon as possible

• Investigate outbound connections from Oracle EBS instances to known malicious infrastructure

• Search for malicious templates in xdo_templates_vl matching URL references for the TemplateCode

  • Because these templates are located within the Oracle EBS database, CrowdStrike Intelligence recommends working directly with the relevant Oracle database administrator to review potentially impacted systems

• Investigate suspicious UserID 0 (sysadmin) and UserID 6 (guest) sessions in icx_sessions

• Consider temporarily disabling internet access for exposed Oracle EBS services

• Secure EBS instances with a web application firewall (WAF)

Appendix

Falcon LogScale Query

This Falcon LogScale query detects commands associated with the likely exploitation activity.

#event_simpleName="ProcessRollup2" 
| event_platform=Lin
| CommandLine=/cat /etc/fstab/
| CommandLine=/cat /etc/hosts/
| CommandLine=/df -h/
| CommandLine=/ip addr/
| CommandLine=/cat /proc/net/arp/
| table([@timestamp, cid, aid, #event_simpleName, ComputerName])

Falcon Next-Gen SIEM Rule Template

The “CrowdStrike – Endpoint – Oracle E-Business Suite Remote Code Execution CVE-2025-61882” rule template has been released to all Falcon Next-Gen SIEM customers and may be used to detect potential Oracle EBS exploitation activity by monitoring for suspicious Java process behavior.

#repo="base_sensor"
| case {
  #event_simpleName="ProcessRollup2" ParentBaseFileName="java" event_platform=Lin CommandLine=/bash -c.*(?:etc|proc|df -h|ip addr)/
    | _type := "java_command" | _pid := ParentProcessId | _pr2_timestamp := @timestamp ;

  #event_simpleName="NetworkConnectIP4" ContextBaseFileName="java" RemotePort=443
    | !cidr(RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fe80::/10", "169.254.0.0/16"])

    | _type := "java_c2" | _pid := ContextProcessId | _nc_timestamp := @timestamp ;
}
| selfJoinFilter(field=[aid, _pid],
  where=[
    { _type="java_command" },
    { _type="java_c2" }
  ],
  prefilter=true
)
| groupBy([aid, ComputerName, _pid], function=[
  session([
      collect([_type, #event_simpleName, ParentBaseFileName, ImageFileName, TargetProcessId, CommandLine, ContextBaseFileName, ContextImageFileName, RemoteAddressIP4, RemotePort, _pr2_timestamp, _nc_timestamp])
    ],
    maxpause=1min
  )
], limit=max)
| _type=/java_command/ _type=/java_c2/ ParentBaseFileName=* RemoteAddressIP4=* RemotePort=* _duration>0
| formatTime(format="%c", field=_pr2_timestamp, as=_pr2_timestamp)
| formatTime(format="%c", field=_nc_timestamp, as=_nc_timestamp)

¹ https[:]//www[.]oracle[.]com/security-alerts/alert-cve-2025-61882[.]html