CrowdStrike on Monday said it’s attributing the exploitation of a recently disclosed security flaw in Oracle E-Business Suite with moderate confidence to a threat actor it tracks as Graceful Spider (aka Cl0p), and that the first known exploitation occurred on August 9, 2025.
The malicious activity involves the exploitation of CVE-2025-61882 (CVSS score: 9.8), a critical vulnerability that facilitates remote code execution without authentication.
The cybersecurity company also noted that it’s currently not known how a Telegram channel “insinuating” collaboration between Scattered Spider, LAPSUS$ (aka Slippy Spider), and ShinyHunters came into the possession of an exploit for the flaw, and if they and other threat actors have leveraged it in real-world attacks.
The Telegram channel has been observed sharing the purported Oracle EBS exploit, while criticizing Graceful Spider’s tactics. It’s worth noting that the binaries dropped by the Cl0p actors contained signatures referencing LAPSUS$, Scattered Spider, and ShinyHunters – codenamed by Resecurity as the Trinity of Chaos.
“Based on our review of the messaging in the Telegram channels, this doesn’t seem to have been intentional at all,” Christiaan Beek, senior director of threat intelligence and analytics at Rapid7, told The Hacker News regarding the possibility of an exploit shared between the two threat groups.
“The way they call out Cl0p and the language used doesn’t appear to represent a ‘friendship’ between partners in crime. However, it does look like one of the Scattered Spider LAPSUS$ Hunters ‘members’ shared this vulnerability with Cl0p.”
In its own technical breakdown of the activity, Resecurity pointed out that the files reference an exploit client named “exp.py” and a malicious content server named “server.py,” adding “both collectives seem to be competing with each other, surprising the industry with new massive hacks resulting from large-scale exploitation of vulnerabilities.”
The exploit workflow is outlined below –
- The server is initiated by the attacker to deliver the XSL payload containing a Base64-encoded reverse shell
- The attacker configures a listener using a tool such as Netcat to accept incoming reverse shell connections from compromised systems so as to establish a communication channel
- Use the exploit client to send a specially crafted HTTP request to the target Oracle EBS instance that includes a “return_url” parameter referencing the attacker’s payload server
- The EBS application retrieves the malicious XSL file, which contains JavaScript code to establish a reverse shell connection back to the attacker’s listener
- The attacker leverages the reverse shell for post-exploitation
The observed activity so far involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. The attacker then targets Oracle’s XML Publisher Template Manager by issuing GET and POST requests to /OA_HTML/RF.jsp and /OA_HTML/OA.jsp to upload and execute a malicious XSLT template,
The commands in the malicious template are executed when it is previewed, resulting in an outbound connection from the Java web server process to attacker-controlled infrastructure over port 443. The connection is subsequently used to remotely load web shells to execute commands and establish persistence.
It’s believed that one or more threat actors are in possession of the CVE-2025-61882 exploit for purposes of data exfiltration.
“The proof-of-concept disclosure and the CVE-2025-61882 patch release will almost certainly encourage threat actors – particularly those familiar with Oracle EBS — to create weaponized POCs and attempt to leverage them against internet-exposed EBS applications,” it said.
In a separate analysis, WatchTowr Labs said, “The chain demonstrates a high level of skill and effort, with at least five distinct bugs orchestrated together to achieve pre-authenticated remote code execution.” The entire sequence of events is as follows –
- Send an HTTP POST request containing a crafted XML to /OA_HTML/configurator/UiServlet to coerce the backend server to send arbitrary HTTP requests by means of a Server-Side Request Forgery (SSRF) attack
- Use a Carriage Return/Line Feed (CRLF) Injection to inject arbitrary headers into the HTTP request triggered by the pre-authenticated SSRF
- Use this vulnerability to smuggle requests to an internet-exposed Oracle EBS application via “apps.example.com:7201/OA_HTML/help/../ieshostedsurvey.jsp” and load a malicious XSLT template
The attack, at its core, takes advantage of the fact that the JSP file can load an untrusted stylesheet from a remote URL, opening the door for an attacker to achieve arbitrary code execution.
“This combination lets an attacker control request framing via the SSRF and then reuse the same TCP connection to chain additional requests, increasing reliability and reducing noise,” the company said. “HTTP persistent connections, also known as HTTP keep-alive or connection reuse, let a single TCP connection carry multiple HTTP request/response pairs instead of opening a new connection for every exchange.”
CVE-2025-61882 has since been added to the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity and Infrastructure Security Agency (CISA), noting that it has been used in ransomware campaigns, urging federal agencies to apply the fixes by October 27, 2025.
“Cl0p has been exploiting multiple vulnerabilities in Oracle EBS since at least August 2025, stealing large amounts of data from several victims, and has been sending extortion emails to some of those victims since last Monday,” Jake Knott, principal security researcher at watchTowr, said in a statement.
“Based on the evidence, we believe this is Cl0p activity, and we fully expect to see mass, indiscriminate exploitation from multiple groups within days. If you run Oracle EBS, this is your red alert. Patch immediately, hunt aggressively, and tighten your controls — fast.”
(The story was updated after publication to include insights from Resecurity and a response from Rapid7.)
