[FALSE-NEGATIVE] CVE-2025-61882 template does not work as expected

[kerlion]

Template IDs or paths

- CVE-2025-61882

Environment

- OS: Ubuntu 22.04.4 LTS
- Nuclei: v3.4.10
- Go:

Steps To Reproduce

I have 2 None-Production EBS instances, one is applied Oracle patches , another is not yet.

./nuclei -u https://ebs1.example.com:443 -t CVE-2025-61882.yaml
./nuclei -u http://ebs1.example.com:8000 -t CVE-2025-61882.yaml
./nuclei -u http://ebs2.example.com:8000 -t CVE-2025-61882.yaml

both got:
[INF] Scan completed in 40.467156023s. No results found.

Relevant dumped responses

__     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.10

                projectdiscovery.io

[INF] Current nuclei version: v3.4.10 (latest)
[INF] Current nuclei-templates version: v10.3.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 124
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Using Interactsh Server: oast.site
[WRN] [CVE-2025-61882] Could not execute step on http://ebs1.example.com:8000: cause="got following errors while executing flow" address=ebs1.example.com:8000 chain="failed to execute http:1 protocol; port closed or filtered; connection refused; i/o timeout; got err while executing http://ebs1.example.com:8000/OA_HTML/help/../ieshostedsurvey.jsp"
[INF] Scan completed in 58.666890788s. No results found.

Anything else?

http:
  - raw:
      - |
        GET /OA_HTML/help/../ieshostedsurvey.jsp HTTP/1.1
        Host: {{Host}}:**7201**

7201 is a base port, in some cases, it is added by a number(1~99）。
In my case it is 10, that is : 7211, I changed it to 7211, but the result is same.

Another issue:
My EBS is configured Nginx before the EBS, so the base url is : https://ebs.example.com, does it work as well?

BTW:
This template is simple but seems works well. which one is better?
https://github.com/rxerium/CVE-2025-61882/blob/main/CVE-2025-61882.yaml

[kerlion]

[DBG] [CVE-2025-61882] Dumped HTTP response http://ebs2.example.com:8010/OA_HTML/help/../ieshostedsurvey.jsp

HTTP/1.1 400 Bad Request
Connection: close
Content-Length: 223
Content-Type: text/html; charset=iso-8859-1
Date: Fri, 10 Oct 2025 03:19:58 GMT
Server:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>The request could not be understood by server due to
malformed syntax.</p>
</body></html>
[INF] Using Interactsh Server: oast.site
[WRN] [CVE-2025-61882] Could not execute step on http://ebs2.example.com:8010: cause="got following errors while executing flow" chain="failed to execute http:2 protocol; context deadline exceeded; got err while executing http://ebs2.example.com:8010/OA_HTML/configurator/UiServlet"
[INF] Scan completed in 58.248790159s. No results found.

[kerlion]

@DhiyaneshGeek

[princechaddha]

@kerlion Thank you for taking the time to create this issue and for contributing to the project. In this repo we try to add templates with a full POC instead of version-based detection, with very few exceptions.

I believe the LFI is not working because Nginx is configured before the EBS, but we have updated the template to remove the hardcoded port and SSRF payload should work regardless. Have you manually confirmed that the host is vulnerable but the template is not able to detect it?