Oracle E-Business Suite CVE-2025-61882 - Malware Analysis
Essential information
- Published
- 08/10/2025 07:51
- Modified
- 08/10/2025 08:12
- Tags
- 2025-10-08 CVE-2025-61882 arbitrary code execution backdoor java exploitation oracle e-business suite template injection weblogic
- Related entities
- 1 vulnerabilities (cve), 9 observables, 11 techniques (mitre)
Description
A critical vulnerability in Oracle E-Business Suite (CVE-2025-61882) is being actively exploited. The attack involves dropping malicious template files through a Python script, which are then activated by previewing. Two types of templates are used: one contacting a hardcoded IP address to execute arbitrary Java code, and another containing an embedded Java class file that loads a backdoor. The exploit leverages the execution context of Oracle Weblogic server, allowing JavaScript execution within the current process. The backdoor enables attackers to execute arbitrary Java code via specially crafted POST requests. The malware utilizes base64 encoding, encryption, and mimics legitimate Java classes to evade detection. It injects filters into Weblogic application contexts and sets up a mechanism for further code execution.