- CVE-2025-61882 enables unauthenticated remote code execution against Oracle E‑Business Suite.
- Affected releases span 12.2.3 through 12.2.14; Oracle issued an out-of-band security alert and patches.
- Real-world attacks chain SSRF, CRLF header injection, auth filter bypass and XSLT abuse to reach RCE.
- Exploitation linked to Cl0p, with IOCs shared by Oracle; defenders should patch and hunt for compromise.
After a week of mixed reports and speculation, the picture around CVE-2025-61882 is finally clearer. Multiple sources confirm that a critical flaw in Oracle E‑Business Suite is being actively exploited in the wild, with attackers achieving pre‑authentication remote code execution against internet‑exposed instances.
What makes this case stand out is that the activity observed in the field leans on a multi‑step exploit chain rather than a single bug, stitching together smaller weaknesses into a full takeover. Oracle has shipped an emergency fix and guidance, while threat intel teams report mass exploitation and the circulation of working proof‑of‑concept code.
What’s affected and how severe is it?
Oracle’s weekend advisory states that CVE-2025-61882 allows a remote attacker to compromise an E‑Business Suite deployment without authentication over HTTP. Successful exploitation leads to remote code execution. Versions 12.2.3 through 12.2.14 are in scope, which means the potential blast radius is substantial for organizations running EBS at scale.
Oracle characterizes the impact as critical (widely cited at CVSS 9.8) and urges customers to apply the provided updates immediately. Reports from national cyber authorities echo the vendor’s framing: a specially crafted request to the affected component can result in total system compromise with no user interaction required.
How the attack chain works (high level)
Independent research describes an exploit chain that combines multiple weaknesses to move from an initial foothold to code execution. At a high level, attackers first abuse a server endpoint to force the application to make server‑side requests (SSRF) to targets of their choice inside the victim’s environment.
From there, adversaries extend control over the forged request using CRLF header injection, manipulating how the downstream HTTP call is framed. By carefully reusing the same TCP session (HTTP keep‑alive), they increase reliability and reduce noise, chaining additional steps over a single connection.
With these primitives in place, the chain targets an internally bound service typical of Oracle EBS deployments, reachable via the forged requests. Researchers observed a filter bypass using crafted paths to access endpoints that would otherwise require authentication.
The final pivot abuses a page that dynamically loads an XSL stylesheet based on request context. By influencing where that stylesheet is fetched from, the attacker can coerce the server into processing untrusted XSLT, a known path to code execution in Java when unsafe extensions are available. Put together, these stages culminate in pre‑auth RCE against affected EBS systems.
Active exploitation and threat activity
Multiple security teams report ongoing attacks leveraging CVE‑2025‑61882. Mandiant leadership has linked the wave of intrusions to large‑scale data theft operations and associated extortion activity, noting that the actors combined new and previously patched EBS issues across their campaigns.
Oracle’s alert includes indicators of compromise observed during incident response, such as IP addresses and artifacts seen in victim environments. Separate reporting points to leaked tooling and shared scripts, and mentions the potential involvement of well‑known data-theft and ransomware affiliates, though some relationships remain unconfirmed.
Estimates suggest roughly a four‑figure number of EBS instances are reachable on the public internet, many of them in the U.S. Given the publication of working exploit code and the pre‑auth nature of the flaw, security agencies and vendors alike warn that exploitation will likely broaden to additional actors.
What defenders should do now
Priority one is to apply Oracle’s security updates and follow the official mitigation guidance and review mitigation strategies. Given reports of widespread exploitation, organizations should assume possible exposure and perform proactive compromise assessment even if patching is completed quickly.
Hunt for evidence of the described SSRF activity, unusual outbound HTTP requests originating from application servers, unexpected access to internally bound EBS services, and any signs of malicious XSLT processing. Cross‑reference network telemetry, reverse proxy logs, EBS access logs, and endpoint alerts with the IOCs shared by Oracle.
Where feasible, reduce exposure by minimizing internet‑facing EBS endpoints, enforcing strict network segmentation to isolate internal services, and hardening reverse proxies to block path traversal patterns and suspicious header manipulation. Strengthening visibility around web-to-internal service bridges is particularly valuable against chained SSRF attacks.
For incident responders, be prepared for data theft and credential reuse scenarios. Validate integrity of EBS application components, review scheduled tasks and out-of-band administration interfaces, and contain any lateral movement stemming from the EBS tier.
The evolving picture shows a critical pre‑auth RCE against widely deployed Oracle E‑Business Suite versions, with a real‑world exploit chain that strings together SSRF, request smuggling via CRLF, an auth filter bypass, and XSLT abuse. With exploitation already underway, the most effective path forward is rapid patching, targeted threat hunting, and tighter network boundaries around EBS internals.
