A critical vulnerability in Oracle E-Business Suite (CVE-2025-61882) is being actively exploited. The attack involves dropping malicious template files through a Python script, which are then activated by previewing. Two types of templates are used: one contacting a hardcoded IP address to execute arbitrary Java code, and another containing an embedded Java class file that loads a backdoor. The exploit leverages the execution context of Oracle Weblogic server, allowing JavaScript execution within the current process. The backdoor enables attackers to execute arbitrary Java code via specially crafted POST requests. The malware utilizes base64 encoding, encryption, and mimics legitimate Java classes to evade detection. It injects filters into Weblogic application contexts and sets up a mechanism for further code execution. Author: AlienVault
Related Tags:
java exploitation
cve-2025-61882
oracle e-business suite
weblogic
T1059.007
T1573.002
T1027.002
T1132.001
T1071.001
Associated Indicators:
64.20.35.130
185.174.100.242
31.210.170.160
85.17.28.253
162.55.17.215
185.80.234.254
192.241.102.198
95.217.144.48