Oracle E-Business Suite (EBS) versions 12.2.3–12.2.14 are vulnerable to a complex pre-authentication exploit chain (CVE-2025-61882) that combines SSRF, CRLF header injection, connection reuse, path traversal, and XSLT-based remote stylesheet execution to achieve remote code execution. The chain was analyzed from a public PoC and demonstrates attacker-controlled HTTP requests that fetch and execute a malicious XSL stylesheet, enabling arbitrary code execution on affected EBS instances. #OracleEBS #CVE-2025-61882
Keypoints
- Oracle published advisory CVE-2025-61882: a pre-auth, remotely exploitable RCE affecting Oracle E-Business Suite 12.2.3–12.2.14.
- Attackers chain at least five distinct issues: SSRF via UiServlet, CRLF header injection, HTTP connection reuse, authentication filter bypass via path traversal, and remote XSLT processing leading to RCE.
- The SSRF originates from /OA_HTML/configurator/UiServlet accepting XML in the getUiType parameter and allowing an attacker-controlled return_url to be dereferenced and posted to.
- CRLF injection in the SSRF allows arbitrary header injection and request framing; connection keep-alive is used to reuse TCP connections and deliver subsequent requests to a local service on port 7201.
- Path traversal against /OA_HTML/help/ lets attackers reach internal JSPs (for example ieshostedsurvey.jsp) that build stylesheet URLs from the Host header and fetch attacker-controlled XSL files.
- ieshostedsurvey.jsp performs XSLT processing using remote stylesheets and Java extension functions (e.g., ScriptEngineManager), enabling arbitrary code execution when a malicious XSL is served.
- Defenders can validate exposure with the provided PoC request patterns and hunt for indicators such as requests to UiServlet, unusual Host header usage, and remote stylesheet fetches.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The chain exploits a pre-auth servlet and other web-facing components to achieve remote code execution by sending crafted XML/HTTP payloads (‘This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in remote code execution.’).
- [T1105] Ingress Tool Transfer – The attacker-controlled server serves a malicious XSL stylesheet that the vulnerable server fetches and executes, effectively transferring and executing attacker code (‘the ability to load an untrusted stylesheet allows an attacker to achieve arbitrary Remote Code Execution.’).
- [T1059.007] Command and Scripting Interpreter: JavaScript – The XSL uses Java extension namespaces and javax.script.ScriptEngineManager to decode base64 payloads and evaluate JavaScript, resulting in arbitrary code execution (‘xmlns:jsm=”…/javax.script.ScriptEngineManager”…
‘). - [T1565] Network Protocol Manipulation (CRLF/Header Injection & Connection Reuse) – CRLF sequences are injected via the SSRF to craft request framing and headers, and HTTP persistent connections are abused to chain additional requests to internal services over the same TCP connection (‘CRLF payloads can be utilized to inject arbitrary headers into the HTTP request triggered by the Server-Side Request Forgery’ and connection reuse enables subsequent requests over the same channel).
- [T1195] Supply Chain Compromise / Exploit Protection Bypass (Path Traversal to bypass auth filters) – The exploit leverages path traversal (e.g., ../ or Java-specific variants) to bypass an authentication whitelist and reach protected JSPs under /OA_HTML/help/, exposing functionality used later in the chain (‘By appending ../ and the target file/servlet to an HTTP request sent to /OA_HTML/help/ , the exploit chain can circumvent the authentication whitelist’).
Indicators of Compromise
- [CVE ] vulnerability identifier – CVE-2025-61882
- [Software Versions ] affected versions – Oracle E-Business Suite 12.2.3, 12.2.14 (range 12.2.3–12.2.14)
- [Hostnames / IPs ] internal and attacker hosts observed in PoC/context – apps.example.com, attacker-oob-server (and 172.31.28.161 as a private IP)
- [URLs / Endpoints ] servlet and JSP endpoints used in exploitation – /OA_HTML/configurator/UiServlet, /OA_HTML/help/../ieshostedsurvey.jsp, and full test request to http://apps.example.com:7201/OA_HTML/ieshostedsurvey.jsp
- [Ports ] local service port targeted – 7201/TCP
- [File paths / filenames ] webapp files referenced – /FMW_Home/Oracle_EBS-app1/applications/oacore/html/WEB-INF/web.xml, ieshostedsurvey.jsp, ieshostedsurvey.xsl
- [HTTP request artifacts / headers ] example request features to hunt for – Connection: keep-alive; Host header containing internal hostname or attacker-controlled host (e.g., ‘not-actually-watchtowr.com-stop-emailing-us-about-iocs:8000’); form parameters redirectFromJsp and getUiType with embedded XML payloads; Cookie: JSESSIONID and EBSDB values seen in PoC (example truncated values present).
- [XSLT / Java extension usage ] malicious XSL constructs – use of java-based XSL namespaces (sun.misc.BASE64Decoder, javax.script.ScriptEngineManager) and XSL template that decodes base64 and invokes ScriptEngine eval (example patterns present in PoC XSL).