CVE-2025-61882: the unauthenticated Oracle EBS pre-auth RCE that Cl0p turned into a data-theft campaign
A CVSS 9.8 pre-auth RCE chain in Oracle E-Business Suite, exploited as a zero-day, leaked, and KEV-listed -- here is the chain, the victims, and exactly what to do.
CVE-2025-61882 lets an attacker who can merely reach your Oracle E-Business Suite web tier run code on it -- no login, no user interaction. It is not theoretical: it powered a mass data-theft and extortion campaign that named victims including The Washington Post, GlobalLogic, Harvard, and Dartmouth. This is the full breakdown -- the chain, who is affected, the in-the-wild story, and exactly what to do.
What CVE-2025-61882 actually is
The bug lives in Oracle E-Business Suite, product Oracle Concurrent Processing, component BI Publisher Integration, and affects EBS 12.2.3 through 12.2.14. NVD labels it CWE-287 (Improper Authentication), but that single label hides a multi-stage chain: two public analyses describe two different pre-auth paths that both end at the same place.
watchTowr documented a five-bug chain via /OA_HTML/configurator/UiServlet: SSRF -> CRLF injection -> HTTP keep-alive smuggling -> a /OA_HTML/help/../ auth-filter bypass -> XSLT RCE. Google/Mandiant and CrowdStrike documented the path used in the live Cl0p campaign: unauthenticated POST /OA_HTML/SyncServlet plants a malicious template in the XDO Template Manager, then it is triggered via TemplatePreviewPG. In both, a malicious XSL stylesheet abuses Java extension functions (ScriptEngineManager + eval) to run commands as the EBS OS user.
The exploitation chain
From a single unauthenticated request to stolen data and extortion. Each stage below has a defensive chokepoint -- the cheapest is the first one: take the web tier off the public internet.
CVE-2025-61882 exploitation chain -- unauth EBS to XSLT RCE to web shell to Cl0p data theft
- Reachable EBS 12.2.3-12.2.14 (/OA_HTML exposed) — An internet-reachable Oracle EBS web tier on the vulnerable 12.2.3-12.2.14 band. Shadowserver saw 576 vulnerable IPs on 2025-10-06; ~5,000 EBS login pages were exposed (VulnCheck).
- Unauth entry: /OA_HTML/SyncServlet or /configurator/UiServlet — A pre-auth POST reaches a vulnerable EBS servlet. **Chokepoint:** pull /OA_HTML off the internet; WAF-block these unauthenticated endpoints.
- Chain to XSLT: SSRF+CRLF+keep-alive OR XDO template plant — Path A (watchTowr): SSRF return_url + CRLF + keep-alive smuggling to 7201/TCP, then /OA_HTML/help/../ieshostedsurvey.jsp auth-filter bypass. Path B (live campaign): plant a malicious XDO template (TemplateCode TMP*/DEF*) and trigger via TemplatePreviewPG.
- XSLT template injection -> code exec (javax.script eval) — A malicious XSL stylesheet uses Java extension functions (ScriptEngineManager + eval) to run code as the EBS OS user applmgr -- a bash reverse shell. This is XSLT injection, not deserialization.
- Persistence: SAGEWAVE servlet-filter web shell — A servlet-filter backdoor (GOLDVEIN.JAVA / SAGEGIFT / SAGELEAF / SAGEWAVE) reachable at /OA_HTML/help/state/content/destination./navId.1/... survives the patch and must be evicted.
- Bulk data theft -> Cl0p extortion (email + leak site) — EBS finance/HR data is exfiltrated; Cl0p emails executives (from 29 Sep 2025) and names victims on its leak site. Confirmed: The Washington Post, GlobalLogic, Harvard, Dartmouth, Envoy Air.
- Prevent: take EBS off the internet / WAF-block entry — The cheapest, highest-value control: restrict /OA_HTML to VPN and block unauth SyncServlet/UiServlet, /help/../ traversal, and TemplateCode=TMP*/DEF* at the WAF.
- Detect: TemplatePreviewPG / TMP* templates — Run the official Nuclei probe for exposure; alert on TemplatePreviewPG with TemplateCode=TMP*/DEF*; query XDO_TEMPLATES_B/XDO_LOBS to find an already-planted template.
- Contain: evict web shell + rotate secrets — If exploited, remove the SAGE* web shell, preserve evidence, and rotate DB/APPS, dbc/wallet, and integration secrets. Patching does not evict persistence or undo exfiltration.
Am I affected?
Oracle lists EBS 12.2.3 through 12.2.14 (Oracle Concurrent Processing). The fix is the out-of-band patch of 4 October 2025 -- but mind two gotchas: it requires the October 2023 Critical Patch Update already installed as a baseline, and you must also apply CVE-2025-61884 (patched 11 October 2025), because watchTowr showed the SSRF entry point still worked after the 61882 fix alone. The table below is the at-a-glance risk picture.
| Axis | Value | What it means |
| CVSS 3.1 | 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) | Unauthenticated, network, no interaction -- literal RCE |
| EPSS | 0.997 (99.95th pct) | Effectively the ceiling; a public exploit exists |
| CISA KEV | Listed 2025-10-06, due 2025-10-27, ransomware = Yes | Federal deadline passed; treat exposed installs as same-day |
| Exploited in the wild | Yes -- Cl0p zero-day since ~9 Aug 2025 (traces 10 Jul) | Long dwell time: patch + hunt, do not just patch |
| Public PoC | Yes -- leaked 3 Oct 2025; watchTowr reproduced the full chain | No PoC-free grace window |
| Affected / fixed | EBS 12.2.3-12.2.14 / emergency patch 4 Oct 2025 (+ CVE-2025-61884) | Needs the Oct-2023 CPU baseline first |
Exploited in the wild
Google/Mandiant traced the earliest suspicious traffic to 10 July 2025 and widespread exploitation to 9 August 2025 -- the attacker exfiltrated data quietly for weeks before launching a mass executive extortion-email campaign on 29 September 2025. Oracle's emergency patch followed on 4 October, CISA added it to KEV on 6 October, and a working exploit had already leaked on 3 October. Confirmed victims include The Washington Post (9,720 people), GlobalLogic/Hitachi (~10,471), Harvard, Dartmouth, and Envoy Air.
Detection & hunting
Because this ran as a zero-day with months of dwell time, hunt for prior compromise, not just live attempts. ProjectDiscovery ships an official Nuclei template (CVE-2025-61882) for exposure scanning, and the campaign's behaviour supports high-fidelity log and database hunts. The single highest-fidelity indicator: any TemplatePreviewPG request whose TemplateCode begins with TMP or DEF followed by 16 hex characters.
- Access logs: unauth
POST /OA_HTML/SyncServletand/OA_HTML/configurator/UiServlet;/OA_HTML/RF.jsp;/OA_HTML/help/../path traversal. - Web shell: requests to
/OA_HTML/help/state/content/destination./navId.1/navvSetId.iHelp/(and the/support/state/...SAGEWAVE variant). - Database: rows in
XDO_TEMPLATES_B/XDO_LOBSwithTEMPLATE_CODElikeTMP%orDEF%, andicx_sessionswith UserID 0 (sysadmin) or 6 (guest) -- focus on anything created after 10 July 2025. - Host: the Java (
applmgr) process spawningbash -ishells or recon commands, and unexpected outbound 443 to attacker infrastructure (e.g. 200.107.207.26, 161.97.99.49).
# PROPOSED, NOT OFFICIAL - the high-fidelity CVE-2025-61882 IoC on OHS/WebLogic access logs
title: Oracle EBS CVE-2025-61882 XDO TemplatePreview Exploitation (TemplateCode TMP/DEF)
status: experimental
logsource:
category: webserver # OHS / WebLogic oacore access log, OA_HTML zone
detection:
selection_preview:
cs-uri-query|contains: 'TemplatePreviewPG'
selection_code:
cs-uri-query|re: 'TemplateCode=(TMP|DEF)[A-Fa-f0-9]{16}'
condition: selection_preview and selection_code
fields: [c-ip, cs-user-agent, cs-uri-stem, cs-uri-query, sc-status]
level: criticalWhat to do now
- Patch both CVEs. Apply the 4 Oct 2025 emergency patch for CVE-2025-61882 (it needs the Oct-2023 CPU baseline first) and the 11 Oct patch for CVE-2025-61884. Verify with
AD_PATCH.IS_PATCH_APPLIEDandad_adop_session_patches. - If you cannot patch immediately, take
/OA_HTMLoff the public internet and WAF-block the entry endpoints andTemplateCode=TMP**/DEF. - Assume breach if you were exposed since ~July 2025. Run the database and web-shell hunts above; a planted backdoor survives the patch.
- Rotate every secret the app tier could reach -- DB/APPS passwords, EBS
dbc/wallet secrets, and integration credentials. Patching does not undo stolen data. - Prepare for extortion/disclosure. If data was taken, Cl0p emails executives and names victims publicly; align legal, comms, and regulatory notification early.
FAQ
Is CVE-2025-61882 being exploited?
Is it remote code execution?
javax.script eval), not Java object deserialization.Which versions are affected?
I patched CVE-2025-61882 -- am I done?
Who is behind it?
Sources
- NVD -- CVE-2025-61882
- Oracle Security Alert -- CVE-2025-61882
- Google Cloud / Mandiant (GTIG) -- Oracle EBS zero-day exploitation
- watchTowr Labs -- the pre-auth RCE chain
- CrowdStrike -- campaign targeting the EBS zero-day
- Rapid7 -- ETR: critical 0-day in Oracle EBS
- BleepingComputer -- Oracle silently fixes leaked zero-day exploit