A recent cyber campaign has been identified, targeting Oracle E-Business Suite (EBS) applications through a novel zero-day vulnerability, labeled CVE-2025-61882. This campaign is primarily focused on data exfiltration. There is a moderate level of confidence that the group known as GRACEFUL SPIDER is involved, although other threat actors might also be exploiting this vulnerability. The first known attack was recorded on August 9, 2025, but investigations are still ongoing.
Following the disclosure of a proof-of-concept on October 3, 2025, and the release of a patch, there is a high likelihood that threat actors will attempt to exploit this vulnerability further. On September 29, 2025, GRACEFUL SPIDER claimed to have accessed data from various organizations’ Oracle EBS applications. Additionally, a post on a Telegram channel suggested collaboration among different cyber groups, with a member sharing an Oracle EBS exploit and criticizing GRACEFUL SPIDER’s methods.
Oracle’s disclosure of CVE-2025-61882 on October 4, 2025, highlighted the risk of unauthenticated remote code execution. While Oracle did not confirm active exploitation, they provided indicators of compromise, hinting at potential in-the-wild exploitation. The vulnerability involves an HTTP POST request to a specific servlet, initiating an authentication bypass, sometimes linked to administrative accounts, leading to remote code execution.
