Leaked Oracle EBS exploit scripts expected to drive new wave of attacks (CVE-2025-61882)
Resecurity and watchTowr researchers have analyzed the leaked scripts used by attackers to exploit CVE-2025-61882 on internet-facing Oracle ESB instances.
Whether the attackers were Cl0p or LAPSUS$, both, or even additional threat actors is still unknown, as the scripts have been leaked on Telegram.
CVE-2025-61882 exploit scripts analyzed
“What we have observed is that CVE-2025-61882 (…) is not ‘just’ one vulnerability. It is a poetic flow of numerous small/medium weaknesses,” watchTowr researchers Sina Kheirkhah and Jake Knot noted.
“This is noteworthy because (…) whoever first discovered these vulnerabilities and chained them clearly knows Oracle EBS incredibly well at this point.”
Two Python scripts are required to pull off the attack: Server.py, an HTTP server implementation and exp.py, an exploit client that coerces the Oracle EBS server into fetching the attacker’s malicious payload.
“Using the exp.py script, the attacker sends a specially crafted HTTP request to the target Oracle EBS instance. This request includes a return_url parameter that references the attacker’s payload server. To evade basic security filters, the URL is encoded using numeric HTML character entities. This causes the EBS server to fetch and process content from the attacker-controlled server, effectively executing a server-side request forgery (SSRF),” Resecurity researchers explained.
“Upon following the return_url, the EBS application retrieves the malicious XSL file. The file includes an embedded JavaScript payload that is decoded and executed using Java’s javax.script API.”
Once the payload is executed, the EBS server initiates a reverse shell connection back to the attacker’s listener. “The shell typically runs under the Oracle user context, granting the attacker interactive access to the target system’s operating environment,” the researchers added.
More attacks expected
It’s still unclear whether the attackers only used CVE-2025-61882 to breach Oracle EBS instances or other vulnerabilities, as well. Oracle initially said that the attackers leveraged flaws patched in July 2025, but has since removed that particular post.
What’s almost certain is that these and likely other attackers will continue to leverage the leaked exploit scripts to target Oracle EBS instances exposed on the internet.
According to Mandiant, exploitation of the flaw and subsequent data theft attacks started in August 2025.
Many of the affected organizations already know they’ve been hit, as they’ve received the Cl0p extortion emails. But all organizations with internet-facing Oracle EBS instances should check for indicators of compromise that Oracle provided in the CVE-2025-61882 security advisory, and update the instances with all the provided fixes as instructed.
WatchTowr researchers have published a script that can be used to check whether an Oracle E-Business Suite instance is vulnerable to CVE-2025-61882, and CISA has added CVE-2025-61882 to its Known Exploited Vulnerabilities catalog.
UPDATE (October 7, 2025, 09:40 a.m. ET):
Crowdstrike has shared additional indicators of compromise related to these attacks.
UPDATE (October 9, 2025, 00:25 p.m. ET):
“The threat actor(s) exploited what may be CVE-2025-61882 as a zero-day vulnerability against Oracle EBS customers as early as Aug. 9, 2025, weeks before a patch was available, with additional suspicious activity dating back to July 10, 2025. In some cases, the threat actor successfully exfiltrated a significant amount of data from impacted organizations,” Google Threat Intelligence Group (GTIG) and Mandiant shared today.
The suspicious activity spotted on July 10 can’t be conclusively tied to the use of the exploit scripts analyzed by Resecurity and watchTowr, but the IP address from which the suspicious traffic came was spotted again – along with many additional ones – in the successful August attacks.
The attackers also used multi-stage, fileless malware: the GOLDVEIN.JAVA downloader, the SAGEGIFT loader, the SAGELEAF in-memory dropper, and SAGEWAVE, a malicious Java servlet filter that allows the actor to deploy an AES-encrypted ZIP archive with Java classes in it. Unfortunately, they did not manage to capture the final malware deployed.
Based on several clues, the threat actor(s) behind this campaign are likely Fin11, known for leveraging the Cl0p ransomware and exploiting zero-days in internet-facing file transfer/file sharing enterprise solutions, or a partner group that uses the CL0P ransomware and the CL0P data leak site.
“We’re still assessing the scope of this incident, but we believe it affected dozens of organizations. Some historic CL0P data extortion campaigns have had hundreds of victims. Unfortunately large scale zero-day campaigns like this are becoming a regular feature of cybercrime,” John Hultquist, Chief Analyst at Google Threat Intelligence Group – Google Cloud, added.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!