Breach report
Oracle E-Business Suite: a zero-day RCE fueled a Cl0p extortion wave
What happened
Oracle E-Business Suite (EBS) is a large enterprise resource-planning platform running finance, HR, and supply-chain operations. On October 4, 2025, Oracle disclosed CVE-2025-61882, an unauthenticated remote-code-execution flaw with a CVSS score of 9.8 in the Oracle Concurrent Processing component, affecting versions 12.2.3 through 12.2.14. According to Mandiant, the Cl0p ransomware gang had already exploited it as a zero-day around August 2025, before any patch existed, as part of a data-theft extortion campaign. CISA added the CVE to its Known Exploited Vulnerabilities catalog on October 7, 2025, and the UK NCSC and Singapore CSA issued emergency advisories.
The published exploit chain abuses EBS configuration endpoints to force the server to fetch an attacker-controlled XSL stylesheet, which uses Java's ScriptEngine to evaluate embedded JavaScript and execute OS commands via the Java runtime — no authentication required.
Root cause
Untrusted input drove both a dangerous external-resource fetch and code evaluation: the server retrieved and processed an attacker-supplied XSL template, then evaluated embedded script (CWE-502-style unsafe processing of untrusted data leading to CWE-77 command execution). It is a textbook Injection failure — untrusted data reaching an interpreter that will execute it.
How it would have been caught
Tests that assert server-side template/XSL processing never fetches or evaluates externally supplied resources would flag the fetch-and-evaluate path; dynamic testing points the endpoint at a canary URL and confirms whether the server calls out. A reproduction supplies a malicious XSL reference and confirms the server executes an embedded command rather than refusing the external template.
How to prevent it
- Never fetch or evaluate externally supplied templates/stylesheets; disable external entity and stylesheet resolution and script evaluation in XML/XSL processors.
- Treat any interpreter reachable from untrusted input as an injection sink and close it.
- Patch internet-facing ERP on disclosure and hunt retroactively — Cl0p exploited this for months before the advisory.
The Breachwire test (red → green)
Supply the malicious XSL reference and confirm the server fetches it and executes the embedded command — the RED control. Disable external stylesheet resolution and script evaluation, then confirm the same input is rejected while legitimate report processing still runs.