CVE-2025-61882 | Oracle | RCE
| Vulnerability | CVE-2025-61882 |
|---|---|
| Type | Unauthenticated Remote Code Execution (RCE) / CWE-284, CWE-74 |
| Description | A critical vulnerability in the Oracle Concurrent Processing component (BI Publisher Integration) of Oracle E-Business Suite allows unauthenticated remote attackers to execute arbitrary code via HTTP. Attackers can inject malicious XSLT payloads that are executed server-side, resulting in full system compromise without user interaction. |
| Affected Systems | Oracle E-Business Suite (EBS) versions 12.2.3 through 12.2.14 |
| Attack Vector | Remote Network (Unauthenticated) via HTTP/HTTPS. Attackers target the /OA_HTML/configurator/UiServlet or /OA_HTML/SyncServlet endpoints. |
| Exploit Mechanism | The attacker chains multiple exploitation primitives: SSRF or authentication bypass to reach internal components, followed by XSLT injection. A common attack chain (used by Cl0p) involves uploading a malicious template—often with a name beginning in TMP or DEF—into the database and triggering it via a preview request, causing the server to execute embedded Java commands. |
| Impact of the Bug | Critical (CVSS 9.8) — complete loss of Confidentiality, Integrity, and Availability. Enables data theft (financial/HR records), deployment of ransomware (e.g., Cl0p), and lateral movement inside the network. |
| Detection Techniques | • Monitor web logs for suspicious POST requests to UiServlet or SyncServlet from unknown IPs • Use Database Activity Monitoring (DAM) to detect insertions into XDO_TEMPLATES_B where TEMPLATE_CODE begins with TMP or DEF |
| How to Detect if Exploited | • Query XDO_TEMPLATES_B for suspicious templates created since July/August 2025• Review EDR logs for Java processes executing shell commands ( cmd.exe, bash) or reaching out to external IP addresses |
| Mitigation Steps | • Apply Oracle Security Alert CVE-2025-61882 (Oct 4) AND the follow-up patch for CVE-2025-61884 (Oct 11) immediately • Block outbound Internet traffic from EBS servers to prevent command-and-control connections • Restrict access to /OA_HTML paths to trusted internal networks only |
| Workaround if Available | Block access to UiServlet and SyncServlet at the WAF or load balancer (may impact functionality). Apply WAF rules to detect and block XSLT injection attempts. |
| References | • https://www.oracle.com/security-alerts/alert-cve-2025-61882.html • https://www.cisa.gov/known-exploited-vulnerabilities-catalog • https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation • https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/ |