TL;DR: In early October 2025, Oracle released an emergency security alert addressing CVE-2025-61882, a high-severity unauthenticated remote code execution (RCE) vulnerability in the Concurrent Processing / BI Publisher Integration component of Oracle E-Business Suite (EBS) versions 12.2.3 through 12.2.14. Multiple threat actors (most prominently Cl0p and related groups) are already exploiting it in the wild as part of an ongoing extortion and data theft campaign.
The Vulnerability
Researchers recently published a detailed analysis and PoC showing CVE‑2025‑61882 is not a single bug but rather a multi‑stage exploit chain. The attacker begins with an unauthenticated HTTP POST to OA_HTML/configurator/UiServlet that supplies XML containing a controllable return_url. That URL is used to trigger an outbound HTTP request (classic SSRF). From there the chain uses CRLF/header injection and HTTP connection reuse to frame additional requests, pivots to a local HTTP service (not properly constrained), and finally delivers a malicious XSL stylesheet that the server processes, leading to arbitrary code execution.
Some of the techniques observed or hypothesized in the chain include:
- SSRF/misrouting: attackers cause Oracle EBS to fetch attacker-controlled XSLT payloads via crafted return_url parameters.
- CRLF injection: to inject or smuggle headers or requests in the HTTP pipeline.
- XSLT-based payload execution: The attacker’s hosted XSL template contains embedded Java code (Base64-encoded) that triggers Java’s Script Engine (e.g., Runtime.exec(…)) via eval-like flows within the XSLT environment.
- Reverse shell/outbound connections: Observed commands include attempts to spawn bash shells connecting back to attacker infrastructure.
- Multi-stage chaining: The exploit is not just one flaw, but rather a chain of smaller weaknesses combined to produce a full pre-auth RCE.
In practical terms, the attacker often begins by issuing a crafted HTTP request to endpoints such as /OA_HTML/SyncServlet, triggering the authentication bypass, then moving through RF.jsp, OA.jsp, or UiServlet paths to deliver the malicious XSLT.
Because the payload is executed in the context of the EBS Java application, the attacker can achieve full system-level command execution, drop web shells, pivot laterally, and exfiltrate data.
Oracle’s advisory and the analysis indicate EBS versions 12.2.3 through 12.2.14 are in scope, meaning a large class of EBS deployments are vulnerable until patched. Because EBS often underpins finance, HR, and core ERP functions, risk and potential impact are high.
What We’ve Seen
In just one day, we’ve already seen more than 557,000 attack attempts exploiting this vulnerability. These attacks are global, targeting more than 25 countries, although they’re primarily hitting the US, UK, and France.
Gaming, computing, financial, and business sites are the most hard-hit by attack attempts.
Cl0p is already alleged to have exploited the vulnerability since August, and it’s also potentially been used by LAPSUS$, Scattered Spider, and ShinyHunters.
Bottom line
CVE‑2025‑61882 is a compact, high‑impact pre‑auth RCE chain that weaponizes SSRF and XSLT processing.
Imperva Threat Research Group tracked and identified the exploitation chain of this vulnerability ensuring that Imperva customers with Cloud WAF or On-Prem WAF are now protected out of the box against it
The post CVE-2025-61882: Imperva Customers Protected Against Critical Oracle EBS Zero-Day RCE appeared first on Blog.