Oracle silently fixes zeroday exploit leaked by ShinyHunters

pDangerous runC flaws could allow hackers to escape Docker containersppLost iPhone Dont fall for phishing texts saying it was foundppMicrosoft testing faster Quick Machine Recovery in Windows 11ppHow to use the new Windows 11 Start menu now rolling outppWebinar Modern Patch Management Strategies to patch faster with less riskppGet a refurbished MacBook Air with a fast M2 chip for 40 offppAPT37 hackers abuse Google Find Hub in Android datawiping attacksppMozilla Firefox gets new antifingerprinting defensesppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppRemove the Theonlinesearchcom Search RedirectppRemove the Smartwebfindercom Search RedirectppHow to remove the PBlock adware browser extensionppRemove the Toksearchesxyz Search RedirectppRemove Security Tool and SecurityTool Uninstall GuideppHow to Remove WinFixer Virtumonde Msevents TrojanvundoppHow to remove Antivirus 2009 Uninstall InstructionsppHow to remove Google Redirects or the TDSS TDL3 or Alureon rootkit using TDSSKillerppLocky Ransomware Information Help Guide and FAQppCryptoLocker Ransomware Information Guide and FAQppCryptorBit and HowDecrypt Information Guide and FAQppCryptoDefense and HowDecrypt Ransomware Information Guide and FAQppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppOracle has silently fixed an Oracle EBusiness Suite vulnerability CVE202561884 that was actively exploited to breach servers with a proofofconcept exploit publicly leaked by the ShinyHunters extortion groupppThe flaw was addressed with an outofband security update released over the weekend which Oracle said could be used to access sensitive resourcesppThis Security Alert addresses vulnerability CVE202561884 in Oracle EBusiness Suite reads Oracles advisoryppThis vulnerability is remotely exploitable without authentication ie it may be exploited over a network without the need for a username and password If successfully exploited this vulnerability may allow access to sensitive resourcesppHowever Oracle did not disclose that the flaw was actively exploited in attacks or that a public exploit had been releasedppMultiple researchers customers and BleepingComputer have confirmed that the security update for CVE202561884 now addresses the preauthentication ServerSide Request Forgery SSRF flaw used by the leaked exploitppBleepingComputer reached out to Oracle more than six times for comment about the updates and the lack of disclosure regarding active exploitation but received either no reply or they declined to commentppEarlier this month Mandiant and Google began tracking a new extortion campaign in which companies received emails claiming sensitive data had been stolen from their Oracle EBusiness Suite EBS systemsppThese emails came from the Clop ransomware operation which has a long history of exploiting zeroday flaws in widespread data theft attacksppWhile Clop would not share details about the attack they confirmed to BleepingComputer that they were behind the emails and claimed a new Oracle flaw was exploited in the data theft attacksppSoon all will become obvious that Oracle bugged up their core product and once again the task is on clop to save the day the extortion gang told BleepingComputerppIn response to the extortion emails Oracle stated that Clop was exploiting an EBS flaw that was patched in July 2025 advising customers to ensure the latest Critical Patch Updates were installedppSoon after another group of threat actors known as Scattered Lapsus Hunters also known as ShinyHunters released an Oracle EBusiness Suite exploit on a Telegram channel that was being used to extort Salesforce customersppOracle later confirmed on October 5 that a new zeroday CVE202561882 affected EBS and released an emergency patch Notably one of the indicators of compromise IOCs in Oracles advisory referenced the exploit released by Scattered Lapsus Hunters suggesting a connectionppHowever this is where things get confusing primarily due to the silence of Oracle and other security vendorsppWhen the exploit was leaked researchers at watchTowr Labs analyzed it confirming it can be used to perform unauthenticated remote code execution on servers This leaked exploit first targets the configuratorUiServlet endpoint in Oracle EBusiness Suite as part of the attack chainppHowever CrowdStrike and Mandiant later released reports that disclosed a completely different vulnerability that is believed to have been exploited by the Clop extortion gang in August 2025 This exploit first targets the OAHTMLSyncServlet endpointppResearchers at Mandiant also stated they saw exploitation activity similar to Scattered Lapsus Hunters leaked PoC exploit targeting UiServlet in July 2025ppMandiant says that by updating to the latest patch released on October 4 customers are protected from all known exploit chainsppOracle released a patch on Oct 4 for CVE202561882 which referenced a leaked exploit chain targeting the UiServlet component but Mandiant has observed multiple different exploit chains involving Oracle EBS and it is likely that a different chain was the basis for the Oct 2 advisory that originally suggested a known vulnerability was being exploited explains Mandiant in its reportppIts currently unclear which specific vulnerabilitiesexploit chains correspond to CVE202561882 however GTIG assesses that Oracle EBS servers updated through the patch released on Oct 4 are likely no longer vulnerable to known exploitation chainsppBleepingComputer and other cybersecurity researchers analyzed the patches released by Oracle for CVE202561882 We found that they broke the Clop exploit by stubbing out the SYNCSERVLET class and by adding modsecurity rules that prevent access to OAHTMLSyncServlet endpoint and various templates used to execute a malicious templateppHowever there were no changes in the security update to fix the vulnerability exploited by ShinyHunters PoC which was listed as an IOC for CVE202561882 Therefore it is unclear why Oracle even mentioned it in the advisoryppFurthermore after CVE202561882 was fixed customers and researchers told BleepingComputer that tests indicate that at least the SSRF component of the leaked exploit still worked even with current patches installedppAfter installing this weekends update for CVE202561884 these same researchers and customers tell BleepingComputer that the SSRF component is now fixedppBleepingComputer has learned that the patch for CVE202561884 now validates an attackersupplied returnurl using a regular expression and if it fails blocks the request Because the regex allows only a strict set of characters and anchors the pattern injected CRLF are rejectedppI suggest reading watchTowr Labss writeup to learn precisely how the leaked exploit worksppIn summary for all who may still be confusedppAt this point it is unclear why Oracle patched the exploits like this and mismatched IOCsppBleepingComputer contacted Oracle about its customers concerns and either did not receive a response or was told they were declining to commentppMandiant told BleepingComputer that they are currently unable to answer our questions CrowdStrike and watchTowr Labs referred us back to Oracle for questions related to the vulnerabilitiesppIf you are an Oracle EBusiness Suite customer it is strongly advised that you install all the latest updates as the exploit chains and technical information are now publicly availableppIf you are unable to install the latest update immediately you should add a new modsecurity rule that blocks access to configuratorUiServlet to break the SSRF component of the leaked exploit until you can patchppAs MCP Model Context Protocol becomes the standard for connecting LLMs to tools and data security teams are moving fast to keep these new services safeppThis free cheat sheet outlines 7 best practices you can start using todayppOracle patches EBS zeroday exploited in Clop data theft attacksppCISA confirms hackers exploited Oracle EBusiness Suite SSRF flawppAmerican Airlines subsidiary Envoy confirms Oracle data theft attackppClop exploited Oracle zeroday for data theft since early AugustppHarvard investigating breach linked to Oracle zeroday exploitppBleepingComputer reached out to Oracle more than six times for comment about the updates and the lack of disclosure regarding active exploitation but received either no reply or they declined to comment
Thats not Oracle they have practically zero transparency Protecting stock values appears to be more important than protecting their customersppNot a member yet Register NowppOpenAI plans to release GPT51 GPT51 Reasoning and GPT51 ProppStill on Windows 10 Enroll in free ESU before next weeks Patch TuesdayppHow to use the new Windows 11 Start menu now rolling outppWhy Modern Browsers Security Isnt Enough Watch the webinarppLearn how automated attack simulation makes purple teaming continuousppUpgrade your backup with NAKIVO v111 New DR features and MSP toolslearn moreppEmpowering IT teams with intelligencedriven cyber threat researchppHow to tell if your organizations credentials have been exposedppNew webinar Hear from experts why detection and response is moving into the browser Register now ppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp