CVE Tools
Back to blog

CVE-2025-61882: the unauthenticated Oracle EBS pre-auth RCE that Cl0p turned into a data-theft campaign

A CVSS 9.8 pre-auth RCE chain in Oracle E-Business Suite, exploited as a zero-day, leaked, and KEV-listed -- here is the chain, the victims, and exactly what to do.

CVE-2025-61882 lets an attacker who can merely reach your Oracle E-Business Suite web tier run code on it -- no login, no user interaction. It is not theoretical: it powered a mass data-theft and extortion campaign that named victims including The Washington Post, GlobalLogic, Harvard, and Dartmouth. This is the full breakdown -- the chain, who is affected, the in-the-wild story, and exactly what to do.

What CVE-2025-61882 actually is

The bug lives in Oracle E-Business Suite, product Oracle Concurrent Processing, component BI Publisher Integration, and affects EBS 12.2.3 through 12.2.14. NVD labels it CWE-287 (Improper Authentication), but that single label hides a multi-stage chain: two public analyses describe two different pre-auth paths that both end at the same place.

watchTowr documented a five-bug chain via /OA_HTML/configurator/UiServlet: SSRF -> CRLF injection -> HTTP keep-alive smuggling -> a /OA_HTML/help/../ auth-filter bypass -> XSLT RCE. Google/Mandiant and CrowdStrike documented the path used in the live Cl0p campaign: unauthenticated POST /OA_HTML/SyncServlet plants a malicious template in the XDO Template Manager, then it is triggered via TemplatePreviewPG. In both, a malicious XSL stylesheet abuses Java extension functions (ScriptEngineManager + eval) to run commands as the EBS OS user.

The exploitation chain

From a single unauthenticated request to stolen data and extortion. Each stage below has a defensive chokepoint -- the cheapest is the first one: take the web tier off the public internet.

CVE-2025-61882 exploitation chain -- unauth EBS to XSLT RCE to web shell to Cl0p data theft

  1. Reachable EBS 12.2.3-12.2.14 (/OA_HTML exposed) — An internet-reachable Oracle EBS web tier on the vulnerable 12.2.3-12.2.14 band. Shadowserver saw 576 vulnerable IPs on 2025-10-06; ~5,000 EBS login pages were exposed (VulnCheck).
  2. Unauth entry: /OA_HTML/SyncServlet or /configurator/UiServlet — A pre-auth POST reaches a vulnerable EBS servlet. **Chokepoint:** pull /OA_HTML off the internet; WAF-block these unauthenticated endpoints.
  3. Chain to XSLT: SSRF+CRLF+keep-alive OR XDO template plant — Path A (watchTowr): SSRF return_url + CRLF + keep-alive smuggling to 7201/TCP, then /OA_HTML/help/../ieshostedsurvey.jsp auth-filter bypass. Path B (live campaign): plant a malicious XDO template (TemplateCode TMP*/DEF*) and trigger via TemplatePreviewPG.
  4. XSLT template injection -> code exec (javax.script eval) — A malicious XSL stylesheet uses Java extension functions (ScriptEngineManager + eval) to run code as the EBS OS user applmgr -- a bash reverse shell. This is XSLT injection, not deserialization.
  5. Persistence: SAGEWAVE servlet-filter web shell — A servlet-filter backdoor (GOLDVEIN.JAVA / SAGEGIFT / SAGELEAF / SAGEWAVE) reachable at /OA_HTML/help/state/content/destination./navId.1/... survives the patch and must be evicted.
  6. Bulk data theft -> Cl0p extortion (email + leak site) — EBS finance/HR data is exfiltrated; Cl0p emails executives (from 29 Sep 2025) and names victims on its leak site. Confirmed: The Washington Post, GlobalLogic, Harvard, Dartmouth, Envoy Air.
  7. Prevent: take EBS off the internet / WAF-block entry — The cheapest, highest-value control: restrict /OA_HTML to VPN and block unauth SyncServlet/UiServlet, /help/../ traversal, and TemplateCode=TMP*/DEF* at the WAF.
  8. Detect: TemplatePreviewPG / TMP* templates — Run the official Nuclei probe for exposure; alert on TemplatePreviewPG with TemplateCode=TMP*/DEF*; query XDO_TEMPLATES_B/XDO_LOBS to find an already-planted template.
  9. Contain: evict web shell + rotate secrets — If exploited, remove the SAGE* web shell, preserve evidence, and rotate DB/APPS, dbc/wallet, and integration secrets. Patching does not evict persistence or undo exfiltration.

Am I affected?

Oracle lists EBS 12.2.3 through 12.2.14 (Oracle Concurrent Processing). The fix is the out-of-band patch of 4 October 2025 -- but mind two gotchas: it requires the October 2023 Critical Patch Update already installed as a baseline, and you must also apply CVE-2025-61884 (patched 11 October 2025), because watchTowr showed the SSRF entry point still worked after the 61882 fix alone. The table below is the at-a-glance risk picture.

AxisValueWhat it means
CVSS 3.19.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)Unauthenticated, network, no interaction -- literal RCE
EPSS0.997 (99.95th pct)Effectively the ceiling; a public exploit exists
CISA KEVListed 2025-10-06, due 2025-10-27, ransomware = YesFederal deadline passed; treat exposed installs as same-day
Exploited in the wildYes -- Cl0p zero-day since ~9 Aug 2025 (traces 10 Jul)Long dwell time: patch + hunt, do not just patch
Public PoCYes -- leaked 3 Oct 2025; watchTowr reproduced the full chainNo PoC-free grace window
Affected / fixedEBS 12.2.3-12.2.14 / emergency patch 4 Oct 2025 (+ CVE-2025-61884)Needs the Oct-2023 CPU baseline first

Exploited in the wild

Google/Mandiant traced the earliest suspicious traffic to 10 July 2025 and widespread exploitation to 9 August 2025 -- the attacker exfiltrated data quietly for weeks before launching a mass executive extortion-email campaign on 29 September 2025. Oracle's emergency patch followed on 4 October, CISA added it to KEV on 6 October, and a working exploit had already leaked on 3 October. Confirmed victims include The Washington Post (9,720 people), GlobalLogic/Hitachi (~10,471), Harvard, Dartmouth, and Envoy Air.

Detection & hunting

Because this ran as a zero-day with months of dwell time, hunt for prior compromise, not just live attempts. ProjectDiscovery ships an official Nuclei template (CVE-2025-61882) for exposure scanning, and the campaign's behaviour supports high-fidelity log and database hunts. The single highest-fidelity indicator: any TemplatePreviewPG request whose TemplateCode begins with TMP or DEF followed by 16 hex characters.

  • Access logs: unauth POST /OA_HTML/SyncServlet and /OA_HTML/configurator/UiServlet; /OA_HTML/RF.jsp; /OA_HTML/help/../ path traversal.
  • Web shell: requests to /OA_HTML/help/state/content/destination./navId.1/navvSetId.iHelp/ (and the /support/state/... SAGEWAVE variant).
  • Database: rows in XDO_TEMPLATES_B / XDO_LOBS with TEMPLATE_CODE like TMP% or DEF%, and icx_sessions with UserID 0 (sysadmin) or 6 (guest) -- focus on anything created after 10 July 2025.
  • Host: the Java (applmgr) process spawning bash -i shells or recon commands, and unexpected outbound 443 to attacker infrastructure (e.g. 200.107.207.26, 161.97.99.49).
# PROPOSED, NOT OFFICIAL - the high-fidelity CVE-2025-61882 IoC on OHS/WebLogic access logs
title: Oracle EBS CVE-2025-61882 XDO TemplatePreview Exploitation (TemplateCode TMP/DEF)
status: experimental
logsource:
  category: webserver          # OHS / WebLogic oacore access log, OA_HTML zone
detection:
  selection_preview:
    cs-uri-query|contains: 'TemplatePreviewPG'
  selection_code:
    cs-uri-query|re: 'TemplateCode=(TMP|DEF)[A-Fa-f0-9]{16}'
  condition: selection_preview and selection_code
fields: [c-ip, cs-user-agent, cs-uri-stem, cs-uri-query, sc-status]
level: critical

What to do now

  1. Patch both CVEs. Apply the 4 Oct 2025 emergency patch for CVE-2025-61882 (it needs the Oct-2023 CPU baseline first) and the 11 Oct patch for CVE-2025-61884. Verify with AD_PATCH.IS_PATCH_APPLIED and ad_adop_session_patches.
  2. If you cannot patch immediately, take /OA_HTML off the public internet and WAF-block the entry endpoints and TemplateCode=TMP**/DEF.
  3. Assume breach if you were exposed since ~July 2025. Run the database and web-shell hunts above; a planted backdoor survives the patch.
  4. Rotate every secret the app tier could reach -- DB/APPS passwords, EBS dbc/wallet secrets, and integration credentials. Patching does not undo stolen data.
  5. Prepare for extortion/disclosure. If data was taken, Cl0p emails executives and names victims publicly; align legal, comms, and regulatory notification early.

FAQ

Is CVE-2025-61882 being exploited?
Yes -- it was a Cl0p zero-day exploited from around 9 August 2025 (traces to 10 July), well before the fix, and a working exploit is public. It is on CISA KEV with a ransomware flag. Run a free exposure check.
Is it remote code execution?
Yes -- unauthenticated pre-auth RCE. Code runs as the EBS OS user via XSLT / XSL template injection (javax.script eval), not Java object deserialization.
Which versions are affected?
Oracle E-Business Suite 12.2.3 through 12.2.14 (Oracle Concurrent Processing). Fixed by the out-of-band patch of 4 October 2025, which requires the October 2023 CPU baseline.
I patched CVE-2025-61882 -- am I done?
Not necessarily. Also apply CVE-2025-61884 (11 October 2025): the SSRF entry point still worked after the 61882 patch alone. And if you were exposed before patching, hunt for prior compromise -- the patch does not evict a planted web shell or undo data theft.
Who is behind it?
The extortion campaign is attributed to Cl0p (suspected FIN11 overlap). A separate crew, Scattered Lapsus$ Hunters, leaked the exploit -- Google does not attribute the exploitation to ShinyHunters.

Sources