CrowdStrike is tracking a mass exploitation campaign almost certainly leveraging a novel zero-day vulnerability — now tracked as CVE-2025-61882 — targeting Oracle E-Business Suite (EBS) applications for the purposes of data exfiltration.
CrowdStrike Intelligence assesses with moderate confidence that GRACEFUL SPIDER is likely involved in this campaign but cannot rule out the possibility that multiple threat actors have exploited CVE-2025-61882. The first known exploitation occurred on August 9, 2025; however, investigations remain ongoing, and this date is subject to change.
CrowdStrike Intelligence further assesses that the October 3, 2025 proof-of-concept (POC) disclosure and the CVE-2025-61882 patch release will almost certainly encourage threat actors — particularly those familiar with Oracle EBS — to create weaponized POCs and attempt to leverage them against internet-exposed EBS applications.
Details
Table of Contents
On September 29, 2025, GRACEFUL SPIDER emailed multiple organizations and claimed they had accessed and exfiltrated data from the victim’s Oracle EBS applications.
In an October 3, 2025 post in one of the Telegram channels insinuating collaboration between SCATTERED SPIDER, SLIPPY SPIDER, and ShinyHunters — a channel participant posted a purported Oracle EBS exploit (SHA256 hash: 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d). In their post, the member criticized GRACEFUL SPIDER’s tactics.
How the poster obtained the exploit and whether this actor or any other actors associated with the channel have leveraged this exploit is unclear. Oracle published this POC as an indicator of compromise (IOC) in its CVE-2025-61882 disclosure, suggesting the vendor assesses that the POC has been or may be used for CVE-2025-61882 exploitation. While analysis is ongoing, the purported POC appears to align with at least some of the observed exploitation, including activity leveraging Java Servlets for exploitation.
Unauthenticated RCE Vulnerability (CVE-2025-61882)
On October 4, 2025, Oracle publicly disclosed CVE-2025-61882, a vulnerability impacting Oracle EBS that can result in unauthenticated remote code execution (RCE). While Oracle’s advisory did not explicitly state this vulnerability has been exploited in the wild (ITW), Oracle provided IOCs (such as IP addresses, observed commands, and files) suggesting ITW exploitation.1
CVE-2025-61882 appears to align with at least some of the exploitation activity CrowdStrike has analyzed thus far.
Authentication Bypass
The observed activity appears to begin with an HTTP POST request to /OA_HTML/SyncServlet, which initiates the authentication-bypass portion of a multi-step exploit chain. On at least one confirmed occasion, authentication bypass was related to an administrative account within EBS.
Code Execution
To achieve code execution, the adversary targeted Oracle’s XML Publisher Template Manager by issuing GET and POST requests to /OA_HTML/RF.jsp and /OA_HTML/OA.jsp to upload and execute a malicious XSLT template. Commands in the malicious template are executed when the malicious template is previewed. Figure 1 documents example GET and POST requests used to upload and preview a malicious template.
