Oracle E-Business Suite CVE-2025-61882 - Malware Analysis

Oct. 8, 2025, 8:12 a.m.

Description

A critical vulnerability in Oracle E-Business Suite (CVE-2025-61882) is being actively exploited. The attack involves dropping malicious template files through a Python script, which are then activated by previewing. Two types of templates are used: one contacting a hardcoded IP address to execute arbitrary Java code, and another containing an embedded Java class file that loads a backdoor. The exploit leverages the execution context of Oracle Weblogic server, allowing JavaScript execution within the current process. The backdoor enables attackers to execute arbitrary Java code via specially crafted POST requests. The malware utilizes base64 encoding, encryption, and mimics legitimate Java classes to evade detection. It injects filters into Weblogic application contexts and sets up a mechanism for further code execution.

External References

https://blog.dingusxmcgee.com/blog/2025/10/06/Its-Java-All-The-Way-Down.html
https://otx.alienvault.com/pulse/68e6181ded19213ed00aa8d7
Tags
backdoor
template injection
weblogic
CVE-2025-61882
oracle e-business suite
2025-10-08
java exploitation
arbitrary code execution

Date

  • Created: Oct. 8, 2025, 7:51 a.m.
  • Published: Oct. 8, 2025, 7:51 a.m.
  • Modified: Oct. 8, 2025, 8:12 a.m.

Indicators

  • 85.17.28.253
  • 192.241.102.198
  • 162.55.17.215
  • 95.217.144.48
  • 64.20.35.130
  • 31.210.170.160
  • 185.80.234.254
  • 185.174.100.242
  • 104.194.11.200
Download all indicators here!

Attack Patterns

Linked vulnerabilities

CVE-2025-61882

9.8
    Oracle
  • Concurrent Processing
Published: October 5, 2025