Cybersecurity Firm Attributes Oracle E-Business Suite Exploitation to Threat Actor
CrowdStrike has identified the exploitation of a critical security flaw in Oracle E-Business Suite to a threat actor known as Graceful Spider (Cl0p). The first known instance of exploitation occurred on August 9, 2025. The vulnerability in question is CVE-2025-61882, which has a CVSS score of 9.8 and allows for remote code execution without authentication.
According to CrowdStrike, there is uncertainty surrounding how a Telegram channel insinuating collaboration between different threat actors, including Scattered Spider, LAPSUS$ (Slippy Spider), and ShinyHunters, obtained an exploit for the flaw. The channel has been observed sharing the Oracle EBS exploit while criticizing Graceful Spider’s tactics. The binaries dropped by Cl0p actors contained references to LAPSUS$, Scattered Spider, and ShinyHunters, collectively known as the Trinity of Chaos by Resecurity.
Technical Breakdown of the Exploitation
The malicious activity involves the delivery of a payload containing a Base64-encoded reverse shell via an HTTP request to the target Oracle EBS instance. The attacker then establishes a communication channel by configuring a listener to accept incoming connections from compromised systems. The exploit workflow includes the exploitation of an authentication bypass in /OA_HTML/SyncServlet and targeting Oracle’s XML Publisher Template Manager.
The attacker leverages the exploit to establish a reverse shell connection, enabling post-exploitation activities. The malicious template executed by the EBS application results in an outbound connection to attacker-controlled infrastructure, allowing for the execution of commands and persistence establishment.
It is believed that threat actors have leveraged the CVE-2025-61882 exploit for data exfiltration purposes. The disclosure of the exploit and the subsequent patch release are expected to incentivize threat actors, particularly those familiar with Oracle EBS, to create weaponized proof-of-concepts for attacks.
Highly Skilled Attack Chain
WatchTowr Labs conducted a separate analysis of the exploit chain, highlighting the intricate nature of the attack. The exploitation involves a series of vulnerabilities orchestrated together to achieve pre-authenticated remote code execution. The attack sequence includes steps such as SSRF attacks, CRLF injections, and the loading of a malicious XSLT template to achieve arbitrary code execution.
The exploitation of CVE-2025-61882 has been added to the Known Exploited Vulnerabilities catalog by CISA, noting its use in ransomware campaigns. Federal agencies are urged to apply the necessary patches by October 27, 2025. Cl0p has been actively exploiting vulnerabilities in Oracle EBS, leading to data theft and extortion activities.
Organizations using Oracle EBS are advised to patch their systems immediately, enhance their security controls, and remain vigilant against potential exploitation. The threat landscape is evolving rapidly, and proactive measures are essential to mitigate risks effectively.
(This article has been updated to include insights from Resecurity.)
