A critical security flaw in Oracle E-Business Suite (EBS) is being actively exploited by the Cl0p ransomware group, also known as Graceful Spider, according to a new advisory from CrowdStrike. The first known exploitation was detected on August 9, 2025.
- SSRF (Server-Side Request Forgery) to coerce backend servers into making arbitrary requests.
- CRLF injection to insert custom headers into requests.
- Request smuggling to access internal endpoints and upload malicious templates.
This attack abuses the ability of JSP files to load untrusted stylesheets, allowing arbitrary code execution. Persistent HTTP connections are used to chain multiple requests, increasing reliability and reducing detection.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-61882 to its Known Exploited Vulnerabilities (KEV) catalog. The agency has warned that the vulnerability has already been used in ransomware campaigns. All federal agencies have been ordered to apply security patches by October 27, 2025.
Security experts have raised alarms that mass exploitation is expected within days. Cl0p has already targeted multiple organizations since August, stealing sensitive data and issuing extortion emails.
Organizations using Oracle EBS are being strongly advised to patch immediately, conduct threat hunts, and strengthen access controls. Delays in remediation could lead to significant data breaches, financial loss, and operational disruption.
SEO Keywords included: Oracle E-Business Suite, CVE-2025-61882, Cl0p ransomware, remote code execution, SSRF, CRLF injection, WatchTowr Labs, CrowdStrike, CISA KEV, cybersecurity vulnerability, patch advisory.
Leave A Comment