"The exploitation involves the exploitation of CVE-2025-61882 (CVSS score: 9.8), a critical vulnerability that facilitates remote code execution without authentication. The cybersecurity company also noted that it's currently not known how a Telegram channel "insinuating" collaboration between Scattered Spider, LAPSUS$ (aka Slippy Spider), and ShinyHunters came into the possession of an exploit for the flaw, and if they and other threat actors have leveraged it in real-world attacks."
"The observed activity so far involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. The attacker then targets Oracle's XML Publisher Template Manager by issuing GET and POST requests to /OA_HTML/RF.jsp and /OA_HTML/OA.jsp to upload and execute a malicious XSLT template, The commands in the malicious template are executed when it is previewed, resulting in an outbound connection from the Java web server process to attacker-controlled infrastructure over port 443."
Graceful Spider (aka Cl0p) is attributed with moderate confidence for exploiting Oracle E-Business Suite vulnerability CVE-2025-61882, with first known exploitation on August 9, 2025. CVE-2025-61882 carries a CVSS score of 9.8 and enables unauthenticated remote code execution. Observed attack traffic uses an HTTP request to /OA_HTML/SyncServlet to bypass authentication, then abuses Oracle XML Publisher Template Manager endpoints to upload a malicious XSLT template. Previewing the template triggers command execution and causes the Java web server to connect outbound over port 443 to attacker-controlled infrastructure, which is then used to load web shells and establish persistence. One or more threat actors likely possess the exploit for data exfiltration.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]