On October 4, 2025, Oracle issued a security alert concerning a critical vulnerability in its E-Business Suite, identified as CVE-2025-61882. This flaw allows attackers to execute code remotely without authentication, posing a severe threat with a CVSS score of 9.8. It affects versions 12.2.3 to 12.2.14 of Oracle EBS, and remediation requires the October 2025 Critical Patch Update, contingent upon having the October 2023 update installed. Unpatched systems, particularly those accessible online, remain vulnerable.
Attackers exploit this vulnerability using HTTP POST requests to Oracle endpoints like /OA_HTML/SyncServlet. They manipulate the XML Publisher feature by uploading harmful XSLT templates, which, when processed, execute code on the server. This method has been used in real-world attacks to gain persistent access and exfiltrate data. The vulnerability is actively exploited by groups like Cl0p and GRACEFUL SPIDER, with public proof-of-concept code accelerating its spread.
AttackIQ suggests organizations test their defenses using emulations that simulate these attacks, focusing on web application firewall effectiveness against the exploit’s initial POST requests. By employing these strategies, organizations can enhance their security posture against this evolving threat.
