{“lastseen”:”2025-10-14T02:05:08″,”description”:”_TL;DR: In early October 2025, Oracle released an emergency security alert addressing CVE-2025-61882, a high-severity unauthenticated remote code execution (RCE) vulnerability in the Concurrent Processing \/ BI Publisher Integration component of Oracle E-Business Suite (EBS) versions 12.2.3 through 12.2.14. Multiple threat actors (most prominently Cl0p and related groups) are already exploiting it in the wild as part of an ongoing extortion and data theft campaign._\\n\\n## The Vulnerability\\n\\nResearchers recently published a detailed analysis and PoC showing CVE\u20112025\u201161882 is not a single bug but rather a multi\u2011stage exploit chain. The attacker begins with an unauthenticated HTTP POST to OA_HTML\/configurator\/UiServlet that supplies XML containing a controllable return_url. That URL is used to trigger an outbound HTTP request (classic SSRF). From there the chain uses CRLF\/header injection and HTTP connection reuse to frame additional requests, pivots to a local HTTP service (not properly constrained), and finally delivers a malicious XSL stylesheet that the server processes, leading to arbitrary code execution.\\n\\nSome of the techniques observed or hypothesized in the chain include:\\n\\n * **SSRF\/misrouting:** attackers cause Oracle EBS to fetch attacker-controlled XSLT payloads via crafted return_url parameters.\\n * **CRLF injection:** to inject or smuggle headers or requests in the HTTP pipeline.\\n * **XSLT-based payload execution:** The attacker\u2019s hosted XSL template contains embedded Java code (Base64-encoded) that triggers Java\u2019s Script Engine (e.g., Runtime.exec(\u2026)) via eval-like flows within the XSLT environment.\\n * **Reverse shell\/outbound connections:** Observed commands include attempts to spawn bash shells connecting back to attacker infrastructure.\\n * **Multi-stage chaining:** The exploit is not just one flaw, but rather a chain of smaller weaknesses combined to produce a full pre-auth RCE.\\n\\n\\n\\nIn practical terms, the attacker often begins by issuing a crafted HTTP request to endpoints such as \/OA_HTML\/SyncServlet, triggering the authentication bypass, then moving through RF.jsp, OA.jsp, or UiServlet paths to deliver the malicious XSLT.\\n\\nBecause the payload is executed in the context of the EBS Java application, the attacker can achieve full system-level command execution, drop web shells, pivot laterally, and exfiltrate data.\\n\\nOracle\u2019s advisory and the analysis indicate EBS versions 12.2.3 through 12.2.14 are in scope, meaning a large class of EBS deployments are vulnerable until patched. Because EBS often underpins finance, HR, and core ERP functions, risk and potential impact are high.\\n\\n## What We\u2019ve Seen\\n\\nIn just one day, we\u2019ve already seen more than 557,000 attack attempts exploiting this vulnerability. These attacks are global, targeting more than 25 countries, although they\u2019re primarily hitting the US, UK, and France.\\n\\nGaming, computing, financial, and business sites are the most hard-hit by attack attempts.\\n\\nCl0p is already alleged to have exploited the vulnerability since August, and it\u2019s also potentially been used by LAPSUS$, Scattered Spider, and ShinyHunters.\\n\\n## Bottom line\\n\\nCVE\u20112025\u201161882 is a compact, high\u2011impact pre\u2011auth RCE chain that weaponizes SSRF and XSLT processing.\\n\\nImperva Threat Research Group tracked and identified the exploitation chain of this vulnerability ensuring that Imperva customers with Cloud WAF or On-Prem WAF are now protected out of the box against it\\n\\nThe post CVE-2025-61882: Imperva Customers Protected Against Critical Oracle EBS Zero-Day RCE appeared first on Blog.”,”published”:”2025-10-13T22:29:59″,”modified”:”2025-10-13T22:29:59″,”type”:”impervablog”,”title”:”CVE-2025-61882: Imperva Customers Protected Against Critical Oracle EBS Zero-Day RCE”,”source”:””,”references”:””,”id”:”IMPERVABLOG:F67CE10F1C282EBF524B9D36E6BBB3E2″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2025-61882″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.imperva.com\/blog\/cve-2025-61882-imperva-customers-protected-against-critical-oracle-ebs-zero-day-rce\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:”AI processing failed – returned non-JSON response”,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-14T02:05:08″,”description”:”_TL;DR: In early October 2025, Oracle released an emergency security alert addressing CVE-2025-61882, a high-severity unauthenticated remote code execution (RCE) vulnerability in the Concurrent Processing…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,35,12,59,13,7,11,5],"class_list":["post-21361","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-impervablog","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n