CrowdStrike said Monday that the first known exploitation occurred on August 9, 2025, when threat actors tracking the recently disclosed security flaw exploitation in Oracle E-Business Suite as Graceful Spider (also known as CL0P).
Exploitation involves exploitation of CVE-2025-61882 (CVSS score: 9.8), a key vulnerability that facilitates remote code execution without authentication.
The cybersecurity company also noted that it is currently unknown how the collaboration “intimating” a collaboration between scattered spiders, Rapsuas $ (aka Slippy Spider), and Shiny Hunter became the property of Expoloit because of its flaws, and whether they and other threat actors exploited it in actual attacks.
The Telegram channel has been observed to share the alleged Oracle EBS Exploit, criticizing Graceful Spider’s tactics.
Activities observed so far include an HTTP request to /oa_html /syncservlet, and authentication bypasses. The attacker then issues a GET request to target the ORACLE’s XML Publisher Manager.
The malicious template command is executed when previewed, and an outbound connection from the Java Web server process to the attacker-controlled infrastructure is connected through port 443. The connection is then used to remotely load the web shell to run the command and establish persistence.
One or more threat actors are believed to own the CVE-2025-61882 exploit for data removal purposes.
“The proof-of-concept disclosure and CVE-2025-61882 patch release almost certainly encourage threat actors, especially those familiar with Oracle EBS, to create weaponized POCs and try to leverage them against Internet-exposed EBS applications.”
In another analysis, “chain” states that “expresses this level of skill and effort, with at least five different bugs being assembled together to achieve pre-recognized remote code execution.” The entire sequence of events is:
Send an HTTP POST request containing the created XML to /OA_HTML/Configurator/UISERVLET to force the backend server to send any HTTP request via a server-side request forgery (SSRF) attack and initiate any adoption of HTP requests using carriage return/line feed (CRLF) injection. Use this vulnerability to smuggle requests to an Oracle EBS application exposed to the Internet via “apps.example.com:7201/oa_html/help/../ieshostedsurvey.jsp” to load a malicious XSLT template
This attack takes advantage of the fact that at its core, a JSP file can load unreliable stylesheets from a remote URL, allowing the attacker to open the door to achieve arbitrary code execution.
“This combination allows attacker control requests via SSRF to request framing, reusing the same TCP connection for additional requests, increasing reliability and reducing noise,” the company said. “Also known as HTTP Persistent Connections (also known as HTTP Keep-Alive or Connection Reuse) ensures that a single TCP connection carries multiple HTTP request/response pairs instead of opening a new connection for all exchanges.”
CVE-2025-61882 has since been added to the known exploited vulnerabilities (KEV) catalog by the Cybersecurity and Infrastructure Security Agency (CISA) and used in ransomware campaigns, urging federal agencies to apply the fix by October 27, 2025.
“CL0P has been exploiting multiple vulnerabilities in Oracle EBS since at least August 2025, stealing a large amount of data from several casualties, and has been sending fear tor emails to some of those victims since last Monday.”
“Based on the evidence, I consider this to be a CL0P activity and fully expect to see indiscriminate exploitation of mass from multiple groups within a few days. When I run Oracle EBS, this is the red alert. Patch it immediately, actively hunt it, tighten control – fast.”
Source link
