Oracle E-Business Suite dual-endpoint exploit campaigns
Campaign
Summary
Hide ▲
Show ▼
Two Oracle E-Business Suite exploit campaigns hit separate endpoints in July and August 2025, expanding the risk to exposed enterprise instances. The activity matters because the attackers used different attack paths, showing sustained targeting rather than a one-off flaw. One phase mapped to CVE-2025-61884 and the other to CVE-2025-61882, with the latter attributed to the Clop ransomware gang.
Cases
Related Happenings
Oracle PeopleSoft PeopleTools zero-day RCE (CVE-2026-35273)
Vulnerability
H score58
First: 11.06.2026 22:39
Last: 11.06.2026 22:39
Sources 1
About this happening:
**Oracle PeopleSoft PeopleTools CVE-2026-35273** is a critical **zero-day RCE** affecting **PeopleSoft Enterprise PeopleTools 8.61 and 8.62**. Oracle released **emergency mitigati...
Oracle PeopleSoft PeopleTools zero-day RCE (CVE-2026-35273)
VulnerabilityAbout this happening: **Oracle PeopleSoft PeopleTools CVE-2026-35273** is a critical **zero-day RCE** affecting **PeopleSoft Enterprise PeopleTools 8.61 and 8.62**. Oracle released **emergency mitigati...
Latest development: 29.06.2026 23:40
Nissan says it suffered a data breach affecting current and former employees after attackers exploited an Oracle PeopleSoft zero-day associated with CVE-2026-35273. Oracle informed Nissan that personnel records of hundreds of companies may have been obtained and that Nissan was specifically targeted, with potentially exposed data including contact details, banking information, Social Security numbers, Social Insurance Numbers, National Identification Numbers, financial and tax information, and dependent and beneficiary data for employees in the United States, Canada, Mexico, and Brazil.
Oracle WebLogic Server unauthenticated remote compromise flaw (CVE-2024-21182)
Vulnerability
H score59
First: 02.06.2026 15:40
Last: 02.06.2026 15:40
Sources 1
About this happening:
**CVE-2024-21182** in **Oracle WebLogic Server** is **actively exploited** and can let a **network-access attacker** achieve **unauthenticated remote compromise**. The flaw affect...
Oracle WebLogic Server unauthenticated remote compromise flaw (CVE-2024-21182)
VulnerabilityAbout this happening: **CVE-2024-21182** in **Oracle WebLogic Server** is **actively exploited** and can let a **network-access attacker** achieve **unauthenticated remote compromise**. The flaw affect...
HPE OneView RondoDox exploitation wave (CVE-2025-37164)
Exploitation Wave
H score59
First: 16.01.2026 11:15
Last: 16.01.2026 11:15
Sources 1
About this happening:
**RondoDox** has driven a **large-scale exploitation wave** against **HPE OneView** by targeting **CVE-2025-37164**, with activity escalating into **automated attacks** that creat...
HPE OneView RondoDox exploitation wave (CVE-2025-37164)
Exploitation WaveAbout this happening: **RondoDox** has driven a **large-scale exploitation wave** against **HPE OneView** by targeting **CVE-2025-37164**, with activity escalating into **automated attacks** that creat...
HPE OneView actively exploited remote code execution flaw (CVE-2025-37164)
Vulnerability
H score83
First: 08.01.2026 09:45
Last: 08.01.2026 09:45
Sources 1
About this happening:
**CVE-2025-37164** in **HPE OneView** is being **actively exploited**, with **Check Point Research** reporting a **Linux-based RondoDox botnet** campaign that escalated in **Janua...
HPE OneView actively exploited remote code execution flaw (CVE-2025-37164)
VulnerabilityAbout this happening: **CVE-2025-37164** in **HPE OneView** is being **actively exploited**, with **Check Point Research** reporting a **Linux-based RondoDox botnet** campaign that escalated in **Janua...
Oracle Identity Manager actively exploited missing authentication RCE (CVE-2025-61757)
Vulnerability
H score46
First: 22.11.2025 08:45
Last: 22.11.2025 08:45
Sources 1
About this happening:
**CISA** added **CVE-2025-61757** to **KEV** after evidence of **active exploitation**, putting **Oracle Identity Manager** users at immediate risk of **pre-authenticated remote c...
Oracle Identity Manager actively exploited missing authentication RCE (CVE-2025-61757)
VulnerabilityAbout this happening: **CISA** added **CVE-2025-61757** to **KEV** after evidence of **active exploitation**, putting **Oracle Identity Manager** users at immediate risk of **pre-authenticated remote c...
Timeline
-
21.10.2025 22:15 1 articles · 8mo ago
ShinyHunters leaks Oracle exploit on Telegram
Technical Analysis UpdateShinyHunters leaks an Oracle exploit on Telegram, and the code is tied to the UiServlet SSRF attack chain against Oracle E-Business Suite and the Oracle Configurator runtime component; the leak is described as being used by Clop.
Show sources
- CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw — www.bleepingcomputer.com — 21.10.2025 22:15
-
21.10.2025 22:15 1 articles · 8mo ago
Oracle discloses CVE-2025-61882 and publishes leaked IOC
Detection Ioc UpdateOracle discloses CVE-2025-61882, lists the leaked proof-of-concept as an IOC, and says the separate /OA_HTML/SyncServlet exploit path was fixed with mod_security rules and by stubbing out the SYNCSERVLET class.
Show sources
- CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw — www.bleepingcomputer.com — 21.10.2025 22:15
-
21.10.2025 22:15 1 articles · 8mo ago
Oracle discloses CVE-2025-61884 in Oracle Configurator runtime
Initial DisclosureOracle discloses CVE-2025-61884 as an unauthenticated server-side request forgery (SSRF) flaw in the Oracle Configurator runtime component, gives it a 7.5 severity rating, warns it could enable unauthorized access to critical data or complete access to all Oracle Configurator accessible data, and says the patch validates attacker-supplied return_url values with a regular expression.
Show sources
- CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw — www.bleepingcomputer.com — 21.10.2025 22:15
-
21.10.2025 22:15 1 articles · 8mo ago
CISA adds CVE-2025-61884 to KEV and orders patching
Legal Policy Action UpdateCISA confirms active exploitation of CVE-2025-61884 in Oracle E-Business Suite, adds the flaw to the Known Exploited Vulnerabilities catalog, and requires U.S. federal agencies to patch by November 10, 2025; the activity is tied to the July campaign and a leaked exploit from ShinyHunters and the Scattered Lapsus$ extortion group.
Show sources
- CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw — www.bleepingcomputer.com — 21.10.2025 22:15
-
21.10.2025 22:15 1 articles · 8mo ago
CrowdStrike and Mandiant separate two Oracle E-Business Suite campaigns
Campaign Scope UpdateCrowdStrike and Mandiant say Oracle E-Business Suite was targeted in two distinct campaigns: a July campaign that used an SSRF exploit against the "/configurator/UiServlet" endpoint now confirmed as CVE-2025-61884, and an August campaign that used a different exploit against the "/OA_HTML/SyncServlet" endpoint and was fixed under CVE-2025-61882, which is attributed to Clop.
Show sources
- CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw — www.bleepingcomputer.com — 21.10.2025 22:15