Cisco Secure Firewall - Oracle E-Business Suite Exploitation

name: Cisco Secure Firewall - Oracle E-Business Suite Exploitation
id: 1c077b8a-95a3-4692-980d-c72fc50e9930
version: 5
date: '2026-03-10'
author: Nasreddine Bencherchali, Splunk, Talos NTDR
status: production
type: TTP
description: |
    This analytic detects vulnerability exploitation and post-compromise activity associated with Oracle E-Business Suite web-application vulnerabilities, CVE-2025-61882 and CVE-2025-61884.
    SIDs 65413-65415 detect detect Java.Backdoor.Cl0p variant payload downloads and Java.Backdoor.Cl0p outbound
    command-and-control connection attempts.
    SIDs 65456, 65377 and 65378 detect attempts to exploit these vulnerabilities.
    Security teams should investigate any instances of these signatures, especially if they are found in conjunction with other suspicious network activity or on systems that should not be exposed to such threats.
data_source:
    - Cisco Secure Firewall Threat Defense Intrusion Event
search: |
    `cisco_secure_firewall`
    EventType=IntrusionEvent
    signature_id IN (65377, 65378, 65413, 65414, 65415, 65456)
    | fillnull
    | stats values(signature_id) as signature_id
            values(signature) as signature
            values(class_desc) as class_desc
            values(MitreAttackGroups) as MitreAttackGroups
            values(InlineResult) as InlineResult
            values(InlineResultReason) as InlineResultReason
            values(dest_port) as dest_port
            values(rule) as rule
            values(transport) as transport
            values(app) as app
            min(_time) as firstTime
            max(_time) as lastTime
      by src dest
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `cisco_secure_firewall___oracle_e_business_suite_exploitation_filter`
how_to_implement: |
    This search requires Cisco Secure Firewall Threat Defense Logs, which
    includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
    We strongly recommend that you specify your environment-specific configurations
    (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
    with configurations for your Splunk environment. The search also uses a post-filter
    macro designed to filter out known false positives.
    The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
    The intrusion access policy must also be configured.
known_false_positives: False positives should be unlikely.
references:
    - https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
    - https://www.oracle.com/security-alerts/alert-cve-2025-61884.html
    - https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/
    - https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation
drilldown_searches:
    - name: View the detection results for - "$dest$" and "$src$"
      search: '%original_detection_search% | search  dest = "$dest$" and src = "$src$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Network activity associated with Oracle E-Business Suite exploitation detected from source IP $src$ to destination IP $dest$.
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects:
        - field: signature
          type: signature
        - field: src
          type: ip_address
tags:
    analytic_story:
        - Cisco Secure Firewall Threat Defense Analytics
        - Oracle E-Business Suite Exploitation
    asset_type: Network
    security_domain: network
    mitre_attack_id:
        - T1190
    product:
        - Splunk Enterprise
        - Splunk Cloud
        - Splunk Enterprise Security
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/oracle_e_business_suite/oracle_e_business_suite.log
          source: not_applicable
          sourcetype: cisco:sfw:estreamer