Breachwire.riscent

Breach report

Oracle E-Business Suite: a zero-day RCE fueled a Cl0p extortion wave

Web Application BreachesCritical (CVSS 9.8)CVE-2025-618822025-10
The bottom lineThe Cl0p ransomware group exploited an unauthenticated RCE zero-day in Oracle E-Business Suite before patches existed, using an attacker-controlled XSL stylesheet to run commands and drive a data-theft extortion campaign.
Category
Web Application Breaches
Type
CVE · Named zero-day mass-exploitation (Cl0p)
Date
2025-10
Severity
Critical (CVSS 9.8)
OWASP
Web A05 Injection
CWE / CVE
CWE-502 / CWE-77 CVE-2025-61882

What happened

Oracle E-Business Suite (EBS) is a large enterprise resource-planning platform running finance, HR, and supply-chain operations. On October 4, 2025, Oracle disclosed CVE-2025-61882, an unauthenticated remote-code-execution flaw with a CVSS score of 9.8 in the Oracle Concurrent Processing component, affecting versions 12.2.3 through 12.2.14. According to Mandiant, the Cl0p ransomware gang had already exploited it as a zero-day around August 2025, before any patch existed, as part of a data-theft extortion campaign. CISA added the CVE to its Known Exploited Vulnerabilities catalog on October 7, 2025, and the UK NCSC and Singapore CSA issued emergency advisories.

The published exploit chain abuses EBS configuration endpoints to force the server to fetch an attacker-controlled XSL stylesheet, which uses Java's ScriptEngine to evaluate embedded JavaScript and execute OS commands via the Java runtime — no authentication required.

Root cause

Untrusted input drove both a dangerous external-resource fetch and code evaluation: the server retrieved and processed an attacker-supplied XSL template, then evaluated embedded script (CWE-502-style unsafe processing of untrusted data leading to CWE-77 command execution). It is a textbook Injection failure — untrusted data reaching an interpreter that will execute it.

How it would have been caught

Tests that assert server-side template/XSL processing never fetches or evaluates externally supplied resources would flag the fetch-and-evaluate path; dynamic testing points the endpoint at a canary URL and confirms whether the server calls out. A reproduction supplies a malicious XSL reference and confirms the server executes an embedded command rather than refusing the external template.

How to prevent it

  • Never fetch or evaluate externally supplied templates/stylesheets; disable external entity and stylesheet resolution and script evaluation in XML/XSL processors.
  • Treat any interpreter reachable from untrusted input as an injection sink and close it.
  • Patch internet-facing ERP on disclosure and hunt retroactively — Cl0p exploited this for months before the advisory.

The Breachwire test (red → green)

Supply the malicious XSL reference and confirm the server fetches it and executes the embedded command — the RED control. Disable external stylesheet resolution and script evaluation, then confirm the same input is rejected while legitimate report processing still runs.