A critical pre-authentication Remote Code Execution (RCE) flaw in Oracle E-Business Suite (versions 12.2.3–12.2.14) allows attackers to gain full control over vulnerable servers via malicious HTTP requests — now actively exploited in the wild.
TL;DR
CVE-2025–61882 is a critical, pre-auth RCE in Oracle E-Business Suite (EBS) actively exploited in extortion/data-theft campaigns. Affected versions: 12.2.3 → 12.2.14. Oracle published an emergency advisory with IOCs (IPs, shell-stager command, SHA-256s). Patch or shield exposed systems immediately, hunt with the provided detections, and use the safe Python script below to scan logs. Don't run public PoCs on production — test only in an isolated lab with authorization. 🛑🗿
Why this matters
Oracle EBS runs critical business functions (ERP, payroll, finance, HR). A pre-auth RCE in a web-facing EBS instance allows an attacker to execute arbitrary commands on the application server, potentially access sensitive data, drop webshells, and exfiltrate files. This vulnerability was weaponized in the wild and tied to extortion campaigns — it's a real business incident, not a theoretical CVE. 🔥
Technical summary (short)
- Type: Pre-authentication Remote Code Execution (RCE)
- Product: Oracle E-Business Suite (EBS)
- Affected versions: 12.2.3 → 12.2.14
- Attack surface: Web-facing components — UiServlet,
/OA_HTML/flows, and related endpoints - CVSS: 9.8 - Critical
- Exploit: Crafted HTTP requests leading to command execution on the app server; multiple exploit patterns observed in the wild
Timeline (condensed)
- Vulnerability discovered and exploited in 2025.
- Oracle released an emergency advisory and patches shortly after public exploitation reports.
- Multiple vendors published detection guidance and IOCs.
- Public PoCs circulated — handle with extreme caution. ⚠️
Observed attacker behavior (TTPs)
- Scanning for EBS UIs and version disclosures.
- Sending crafted POSTs/requests to
UiServletand/OA_HTML/to trigger RCE. - Deploying stagers/webshells and spawning reverse shells (e.g.,
/bin/bash -i >& /dev/tcp/...). - Compressing and exfiltrating sensitive files, followed by extortion and data leak demands.
- Using infrastructure linked to known extortion groups.
Oracle-provided IOCs (use immediately)
Oracle notes these IOCs are observed activity across incidents (not limited to CVE-2025–61882). Treat any positive match as high priority.
IPs
200.107.207.26— Potential GET/POST activity185.181.60.11— Potential GET/POST activity
Shell stager pattern
sh -c /bin/bash -i >& /dev/tcp// 0>&1— observed outbound TCP reverse shell style command
SHA-256 hashes (exploit / PoC artifacts)
76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d(oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip)aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121(.../exp.py)6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b(.../server.py)
Affected versions (repeat for emphasis)
- Oracle E-Business Suite 12.2.3–12.2.14. 🔁
High-priority detection & correlation rules (practical starters)
TL;DR: The GitHub Repo contains passive detection artifacts for CVE-2025–61882 (Oracle E-Business Suite pre-auth RCE). Use these to hunt, triage, and contain — not to exploit. 🛑🗿
A brief Description.md (mini-README) has already been added inside the detections/ folder — check that file for the full writeup and TL;DR. This top-level README only summarizes the detection pack and usage so you can grab and run things quickly.
What's in this pack
detections/splunk/
oracle_cve61882_ioc_traffic.spl — Detect traffic to/from Oracle-provided IOC IPs.
oracle_cve61882_uiservlet_post.spl — Detect suspicious POSTs to UiServlet / /OA_HTML/ from external IPs.
oracle_cve61882_reverse_shell.spl — Detect reverse-shell style process creation in endpoint logs.
detections/elastic/
oracle_cve61882_uiservlet_post.kql — KQL for UiServlet/OA_HTML POSTs.
oracle_cve61882_filehash_detection.kql — KQL to match Oracle-provided malicious SHA-256s.
detections/scripts/
ebs_safe_hunt.py — Safe, offline Python log parser (no network calls, no exploit execution). Run against copies of your access logs.
detections/Description.md
The mini writeup/TL;DR you added — contains the full context, IOCs, affected versions, and guidance.
Quick start
- Review
detections/Description.mdfor context and IOCs. ✅ - Drop the Splunk
.splqueries into your Splunk environment (or import them into saved searches / alerts). - Paste the KQL queries into Kibana / Elastic detection rules.
- Copy
ebs_safe_hunt.pyto a host that only has read access to archived or redacted logs, then run:
python3 ebs_safe_hunt.py /path/to/access.log5. Review flagged malicious_ips, servlet_posts, shell_stager, and malicious_hash outputs and escalate as needed. 🕵️♂️
Safety & rules of engagement
- These artifacts are passive detection tools only. Do not run public PoCs against production or systems you do not own/authorize. ⚠️
- If detection shows confirmed compromise (file-hash hit, reverse-shell evidence, or webshell), isolate the host and collect forensics immediately.
Deep diving into the Scripts:
Principle: combine version disclosure or UI hits with high-confidence indicators (malicious IPs, POST to UiServlet/OA_HTML, reverse shell process strings, file hash matches, large outbound uploads).
Splunk examples Detect traffic to Oracle IOCs:
index=web_logs OR index=proxy_logs
| where clientip IN ("200.107.207.26","185.181.60.11") OR dest_ip IN ("200.107.207.26","185.181.60.11")
| stats count by clientip, dest_ip, uri, method, useragent, _time
| sort - countDetect UiServlet/OA_HTML POSTs from external IPs:
index=web_logs sourcetype=access_combined
| where (uri LIKE "%UiServlet%" OR uri LIKE "%/OA_HTML/%") AND method="POST"
| where NOT cidrmatch("10.0.0.0/8", clientip) // adjust for your internal ranges
| stats count by clientip, uri, useragent, _time
| sort - countDetect reverse shell process creation (EDR):
index=endpoint_events sourcetype=os_process
| where process_cmdline LIKE "%/bin/bash -i%/dev/tcp/%" OR process_cmdline LIKE "%/dev/tcp//%"
| table _time host user process_name process_cmdline parent_processElastic / KQL examples UiServlet suspicious POST:
http.request.method : "POST" and (http.request.uri : "*UiServlet*" or http.request.uri : "/OA_HTML/*") and not client.ip : ("10.0.0.0/8")File hash detection:
event.type: "file" and file.hash.sha256 : ("76b6d36e04e3...", "aa0d3859d66...", "6fd538e4a8e3...")Sigma (portable rule ideas)
- Rule: POST to
UiServlet//OA_HTML/from external IPs → high priority - Rule: Process creation with
/bin/bash -i >& /dev/tcp/→ critical - Rule: File hash match for the three SHA-256s → confirmed compromise
Safe detection script (Python) — use against logs (no exploits, no network calls)
This script parses web access logs in combined format and flags suspicious UiServlet/OA_HTML POSTs, requests from Oracle-listed malicious IPs, shell stager patterns, and occurrences of the provided SHA-256 hashes. It does not perform any network activity or run exploit code.
#!/usr/bin/env python3
"""
ebs_safe_hunt.py — Safe log parser for CVE-2025-61882 indicators.Usage:
python3 ebs_safe_hunt.py /path/to/access.log
Notes:
- Parses Apache/Nginx combined log lines.
- Flags UiServlet/OA_HTML POSTs, malicious IPs from Oracle advisory,
shell stager patterns, and observed SHA256 hashes.
- Safe: no network / no exploit execution.
"""
import sys
import re
from collections import Counter, defaultdict
# Regex for common combined log format
LOG_PATTERN = re.compile(
r'(?P<ip>\S+) \S+ \S+ \[(?P<time>.*?)\] "(?P<method>\S+) (?P<uri>\S+) \S+" (?P<status>\d{3}) (?P<size>\S+) "(?P<ref>[^"]*)" "(?P<ua>[^"]*)"'
)
# Oracle-provided IOCs
MALICIOUS_IPS = {"200.107.207.26", "185.181.60.11"}
MALICIOUS_HASHES = {
"76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d",
"aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121",
"6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b",
}
SHELL_PATTERN = "/bin/bash -i" # we search for this substring (reverse shell style)
SUSPICIOUS_PATHS = ["UiServlet", "/OA_HTML/"]
# Optional: list of suspicious user-agents often used by scanners
SUSPICIOUS_UAS = ["curl", "wget", "python-requests", "nikto", "sqlmap", "masscan", "Nmap"]
def analyze_log(path):
ip_counts = Counter()
uri_counts = Counter()
ua_counts = Counter()
suspicious = defaultdict(list)
with open(path, "r", errors="replace") as fh:
for line_no, line in enumerate(fh, 1):
m = LOG_PATTERN.search(line)
if not m:
# Optionally, still check for hashes or shell pattern in unstructured lines
if any(h in line for h in MALICIOUS_HASHES):
suspicious["malicious_hash_lines"].append((line_no, line.strip()))
if SHELL_PATTERN in line or "/dev/tcp/" in line:
suspicious["shell_pattern_lines"].append((line_no, line.strip()))
continue
ip = m.group("ip")
method = m.group("method")
uri = m.group("uri")
ua = m.group("ua")
size = m.group("size")
ip_counts[ip] += 1
uri_counts[uri] += 1
ua_counts[ua] += 1
# 1) Malicious IPs (Oracle)
if ip in MALICIOUS_IPS:
suspicious["malicious_ips"].append((line_no, ip, method, uri, ua))
# 2) POSTs to suspicious EBS paths
if method.upper() == "POST" and any(p in uri for p in SUSPICIOUS_PATHS):
suspicious["servlet_posts"].append((line_no, ip, uri, ua))
# 3) Suspicious user agents (scanners)
if any(k.lower() in ua.lower() for k in SUSPICIOUS_UAS):
suspicious["suspicious_ua"].append((line_no, ip, uri, ua))
# 4) Very large responses (possible exfil) - tune threshold for your environment
try:
if size != "-" and int(size) > 5_000_000: # >5MB
suspicious["large_responses"].append((line_no, ip, uri, size))
except ValueError:
pass
# 5) Shell stager pattern or /dev/tcp patterns in the line
if SHELL_PATTERN in line or "/dev/tcp/" in line:
suspicious["shell_stager"].append((line_no, ip, uri, line.strip()))
# 6) Known malicious file hashes present in logs (if available)
for h in MALICIOUS_HASHES:
if h in line:
suspicious["malicious_hash"].append((line_no, ip, uri, h))
return {
"ip_counts": ip_counts,
"uri_counts": uri_counts,
"ua_counts": ua_counts,
"suspicious": suspicious
}
def pretty_report(r, top=10):
print("\n=== EBS HUNT REPORT ===\n")
print("Top source IPs:")
for ip, c in r["ip_counts"].most_common(top):
print(f" {ip}: {c}")
print("\nTop URIs:")
for uri, c in r["uri_counts"].most_common(top):
print(f" {uri}: {c}")
print("\nTop User-Agents:")
for ua, c in r["ua_counts"].most_common(top):
print(f" {ua}: {c}")
print("\nSuspicious findings:")
if not r["suspicious"]:
print(" None found.")
return
for k, items in r["suspicious"].items():
print(f"\n-- {k} ({len(items)} matches) --")
for item in items[:100]:
print(" " + " | ".join(map(str, item)))
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python3 ebs_safe_hunt.py /path/to/access.log")
sys.exit(1)
path = sys.argv[1]
result = analyze_log(path)
pretty_report(result)
How to use: copy ebs_safe_hunt.py to a host that has read access to archived or copied logs. Run:
python3 ebs_safe_hunt.py /path/to/access.logReview flagged malicious_ips, servlet_posts, shell_stager, and malicious_hash results and escalate appropriately. 🕵️♂️
Immediate mitigation & containment checklist (practical)
- Patch: Apply Oracle's emergency patch per the advisory for any EBS 12.2.3–12.2.14 installs. Follow prerequisite CPU order. ✅
- If you can't patch immediately: block public access to EBS UI (firewall, WAF, restrict to VPN/trusted IPs). 🔒
- Block IOCs at perimeter: block
200.107.207.26and185.181.60.11and any other vendor-supplied IOC IPs/domains. - Hunt: run the Splunk/Elastic hunts above and the safe Python script across logs.
- EDR/AV: search for the three SHA-256 hashes and webshell artifacts; isolate hosts if found.
- Forensics: capture memory and disk images for suspected hosts; preserve logs.
- Credentials: rotate service/admin credentials after containment.
- Legal/comms: prepare incident notification if regulated data was exfiltrated.
Leadership brief (one-pager — copy/paste)
Subject: Critical: CVE-2025–61882 — Oracle E-Business Suite — Immediate action required
What: Critical pre-auth RCE (CVE-2025–61882) in Oracle EBS (12.2.3–12.2.14). Exploited in data-theft/extortion campaigns.
Immediate asks (next 24 hours):
- Confirm if EBS 12.2.3–12.2.14 instances exist.
- If yes: apply Oracle's emergency patch now or block external access to those instances.
- Block Oracle IOCs and ingest vendor feeds into SOC detection.
- SOC: run prioritized hunts (UiServlet/OA_HTML POSTs, malicious IPs, reverse shell patterns, file hash matches).
- If any IOC hits: isolate host, collect forensics, notify legal.
Risk: High — potential full application server compromise, data exfiltration, regulatory exposure. Bottom line: patch or shield now. — 🗿
Final notes & cautions
- Public PoCs exist and are weaponizable. Do not run them on production or third-party systems without written authorization. Use isolated labs only. ⚠️
- Oracle's IOCs represent observed activity across incidents — some indicators may relate to related attacks. Investigate hits with context, but escalate any positive matches.
- Version disclosure is noisy — always correlate version evidence with high-confidence exploit indicators before concluding compromise. 📌
Goodbye Note
You've got everything you need: the overview, IOCs straight from Oracle, practical hunts, and a safe script to kick off triage. Patch or shield your EBS boxes, blast the IOC hunts through your SOC, and isolate anything that looks sketchy. Stay sharp, patch fast, and flex that incident-response muscle. 🗿🔥