On October 4, 2025, Oracle published a Security Alert Advisory addressing the CVE-2025-61882 vulnerability in Oracle E-Business Suite (EBS). This vulnerability allows unauthenticated attackers to execute arbitrary code over HTTP without needing valid credentials. With a CVSS score of 9.8, it represents a severe risk to affected organizations.

The issue impacts Oracle EBS versions 12.2.3 through 12.2.14. According to Oracle, applying the October 2025 Critical Patch Update fully remediates the vulnerability, though systems must first have the October 2023 Critical Patch Update installed as a prerequisite. Organizations using outdated or unpatched deployments remain highly exposed, especially if their EBS instances are accessible from the internet.

Attackers are exploiting CVE-2025-61882 through HTTP POST requests to Oracle endpoints such as /OA_HTML/SyncServlet. From there, they abuse Oracle’s XML Publisher functionality by uploading malicious XSLT templates through pages like /OA_HTML/RF.jsp or /OA_HTML/OA.jsp. When the templates are processed or previewed, the embedded code executes on the server, allowing the attacker to gain remote command execution. This technique has been observed in real-world campaigns, where attackers deploy reverse shells or web shells to establish persistent access, move laterally, and exfiltrate sensitive business data.

Security researchers have confirmed that the vulnerability is being actively exploited in the wild, including by the Cl0p ransomware group and related threat actors tracked as GRACEFUL SPIDER. Publicly available proof-of-concept code has further accelerated the spread of exploitation and increased the risk of broader, automated attacks.

AttackIQ has previously released an emulation based on a response to the CISA Advisory AA23-158A on June 9, 2023, and contains the tactics, techniques, and procedures (TTPs) observed in attacks carried out by Cl0p Ransomware Gang. AttackIQ recommends the use of this emulation to start testing: 

[CISA AA23-158A] #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability

AttackIQ has released a new emulation containing two new scenarios designed to test web application firewall (WAF) security controls for the initial POST requests used in part of the exploit chain targeting Oracle EBS:

Oracle E-Business Suite Pre-Auth RCE (CVE-2025-61882)

On October 6, 2025, Oracle reported a Security Alert Advisory regarding an unauthenticated remote code execution with their Oracle E-Business Suite product. CVE-2025-61882, a critical vulnerability with a CVSS 3.1 Base Score of 9.8, chains together multiple vulnerabilities and weaknesses to achieve remote code execution.

While both endpoints tested in this assessment have legitimate uses, these scenarios are intended to help develop and tune detection capability.

WAF Test (Oracle EBS (CVE-2025-61882)): Exploit via POST Request 1: This scenario simulates the initiation of the CVE-2025-61882 exploit chain by sending a HTTP POST request to the /OA_HTML/configurator/UiServlet endpoint in order to assess whether a Web Application Firewall (WAF) can detect and protect the web application from potential exploitation.

WAF Test (Oracle EBS (CVE-2025-61882)): Exploit via POST Request 2: This scenario simulates the initiation of the CVE-2025-61882 exploit chain by sending a HTTP POST request to the /OA_HTML/SyncServlet endpoint in order to assess whether a Web Application Firewall (WAF) can detect and protect the web application from potential exploitation.

Wrap-up

In summary, CVE‑2025‑61882 poses a significant cybersecurity risk by allowing remote, unauthenticated exploitation and is actively being used in the wild.

AttackIQ recommends running the previously released emulation for Cl0p ransomware, as well as the new emulation for this particular CVE. Adopting these strategies will help organizations strengthen their defenses and better protect against this ongoing and dynamic cybersecurity threat.