The observed activity appears to begin with an HTTP POST request to /OA_HTML/SyncServlet, which initiates the authentication-bypass portion of a multi-step exploit chain. On at least one confirmed occasion, authentication bypass was related to an administrative account within EBS.
CVE-2025-61882 appears to align with at least some of the exploitation activity CrowdStrike has analyzed thus far.
In an October 3, 2025 post in one of the Telegram channels insinuating collaboration between SCATTERED SPIDER, SLIPPY SPIDER, and ShinyHunters — a channel participant posted a purported Oracle EBS exploit (SHA256 hash: 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d). In their post, the member criticized GRACEFUL SPIDER’s tactics.
Details
CrowdStrike is tracking a mass exploitation campaign almost certainly leveraging a novel zero-day vulnerability — now tracked as CVE-2025-61882 — targeting Oracle E-Business Suite (EBS) applications for the purposes of data exfiltration.
On September 29, 2025, GRACEFUL SPIDER emailed multiple organizations and claimed they had accessed and exfiltrated data from the victim’s Oracle EBS applications.
On October 4, 2025, Oracle publicly disclosed CVE-2025-61882, a vulnerability impacting Oracle EBS that can result in unauthenticated remote code execution (RCE). While Oracle’s advisory did not explicitly state this vulnerability has been exploited in the wild (ITW), Oracle provided IOCs (such as IP addresses, observed commands, and files) suggesting ITW exploitation.1
Unauthenticated RCE Vulnerability (CVE-2025-61882)
How the poster obtained the exploit and whether this actor or any other actors associated with the channel have leveraged this exploit is unclear. Oracle published this POC as an indicator of compromise (IOC) in its CVE-2025-61882 disclosure, suggesting the vendor assesses that the POC has been or may be used for CVE-2025-61882 exploitation. While analysis is ongoing, the purported POC appears to align with at least some of the observed exploitation, including activity leveraging Java Servlets for exploitation.
To achieve code execution, the adversary targeted Oracle’s XML Publisher Template Manager by issuing GET and POST requests to /OA_HTML/RF.jsp and /OA_HTML/OA.jsp to upload and execute a malicious XSLT template. Commands in the malicious template are executed when the malicious template is previewed. Figure 1 documents example GET and POST requests used to upload and preview a malicious template.
Authentication Bypass
CrowdStrike Intelligence assesses with moderate confidence that GRACEFUL SPIDER is likely involved in this campaign but cannot rule out the possibility that multiple threat actors have exploited CVE-2025-61882. The first known exploitation occurred on August 9, 2025; however, investigations remain ongoing, and this date is subject to change.
Code Execution
CrowdStrike Intelligence further assesses that the October 3, 2025 proof-of-concept (POC) disclosure and the CVE-2025-61882 patch release will almost certainly encourage threat actors — particularly those familiar with Oracle EBS — to create weaponized POCs and attempt to leverage them against internet-exposed EBS applications.
