Ethical Hacking News
Oracle silently fixed a zero-day exploit leaked by ShinyHunters but remains tight-lipped about the incident. The company released an out-of-band security update for CVE-2025-61884 without disclosing active exploitation or providing details about the vulnerability. This lack of transparency has left cybersecurity researchers confused, and it is essential to examine the situation to ensure that measures are taken to prevent similar incidents in the future.
The ShinyHunters extortion group leaked a proof-of-concept exploit for CVE-2025-61882, a pre-authentication Server-Side Request Forgery (SSRF) flaw. Oracle released an out-of-band security update to address the vulnerability, but did not disclose that it had been actively exploited or provide details about the new vulnerability CVE-2025-61884. Mandiant and CrowdStrike reports detailed different exploits targeted at Oracle EBS systems, adding to the confusion. Scattered Lapsus$ Hunters released another Oracle E-Business Suite exploit, leading to speculation about a potential connection between the two groups. Oracle's response was criticized for its lack of transparency, leaving researchers puzzled about the nature of CVE-2025-61884 and its connection to the leaked exploit. Tests conducted after installing the patch for CVE-2025-61884 revealed that the SSRF component of the leaked exploit still functions, raising questions about Oracle's security measures.
In recent weeks, cybersecurity researchers have been left bewildered by a peculiar series of events surrounding an exploit in the Oracle E-Business Suite (EBS). The situation began to unfold when the ShinyHunters extortion group, known for their involvement in Clop ransomware operations, publicly leaked a proof-of-concept exploit for the CVE-2025-61882 vulnerability. This leak was met with swift action from Oracle, which released an out-of-band security update aimed at addressing the pre-authentication Server-Side Request Forgery (SSRF) flaw exploited by the leaked PoC.
However, the situation quickly became mired in confusion due to Oracle's decision not to disclose that the vulnerability had been actively exploited or that a public exploit had been released. Instead, the company issued a security advisory for CVE-2025-61884 without providing any additional information about the nature of this vulnerability or its connection to the previously leaked exploit.
The lack of clarity on the matter was further complicated by the emergence of Mandiant and CrowdStrike reports detailing different exploits targeted at the Oracle EBS systems. According to these reports, Clop extortion emails had claimed that sensitive data had been stolen from Oracle E-Business Suite systems, while researchers at watchTowr Labs analyzed the leaked exploit and confirmed it could be used to perform unauthenticated remote code execution on servers.
The situation was further complicated by the revelation that Scattered Lapsus$ Hunters, another group of threat actors known as ShinyHunters, had also released an Oracle E-Business Suite exploit. This new leak referenced CVE-2025-61882 as one of its indicators of compromise (IOCs), leading some to speculate about a potential connection between the two groups.
In response to these developments, Oracle stated that Clop was exploiting an EBS flaw patched in July 2025 and advised customers to ensure they had installed all necessary Critical Patch Updates. Nonetheless, this lack of transparency has left many researchers scratching their heads, particularly given the absence of clear communication from Oracle regarding the nature of CVE-2025-61884.
In order to gain a deeper understanding of what happened, BleepingComputer, along with other cybersecurity researchers, analyzed the patches released by Oracle for CVE-2025-61882. Their findings revealed that the patch effectively broke the Clop exploit by stubbing out the SYNCSERVLET class and adding mod_security rules that prevented access to the /OA_HTML/SyncServlet endpoint and various templates used in executing a malicious template.
However, the researchers also discovered that there were no changes in the security update aimed at fixing the vulnerability exploited by ShinyHunter's leaked PoC. Consequently, it remains unclear why Oracle included this reference in their advisory without providing any additional details about the nature of CVE-2025-61884.
Notably, tests conducted after installing the patch for CVE-2025-61884 have revealed that the SSRF component of the leaked exploit still functions even with current patches installed. These findings raise further questions about the effectiveness of Oracle's security measures and whether the company's response to this vulnerability was adequate.
Ultimately, the situation surrounding the Oracle E-Business Suite zero-day debacle underscores the importance of clear communication between vendors and researchers in addressing emerging security threats. The lack of transparency exhibited by Oracle during this ordeal has left many in the cybersecurity community perplexed, and it is essential that such incidents are scrutinized to ensure that adequate measures are taken to prevent similar situations from arising in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Oracle-E-Business-Suite-Zero-Day-Debacle-Unraveling-the-Complexity-of-Exploitation-and-Patching-ehn.shtml
https://www.bleepingcomputer.com/news/security/oracle-silently-fixes-zero-day-exploit-leaked-by-shinyhunters/
Published: Wed Oct 15 11:52:07 2025 by llama3.2 3B Q4_K_M
