CrowdStrike has identified a mass exploitation campaign targeting Oracle E-Business Suite applications through a zero-day vulnerability, now known as CVE-2025-61882, believed to be used primarily for data exfiltration. The campaign is suspected to involve the threat actor group GRACEFUL SPIDER, although the involvement of multiple actors cannot be ruled out. The first signs of exploitation were detected on August 9, 2025, and CrowdStrike anticipates that the public disclosure of a proof-of-concept (POC) and Oracle's patch release will likely prompt further exploitation attempts. The vulnerability can lead to unauthenticated remote code execution (RCE) and involves a multi-step exploit chain, including an authentication bypass and code execution via Oracle's XML Publisher Template Manager. CrowdStrike recommends applying Oracle's updates immediately, investigating outbound connections from EBS instances, and securing systems with a web application firewall (WAF) to mitigate the risk of exploitation. The intelligence community is closely monitoring the situation, with ongoing investigations into the root cause and the potential weaponization of the POC by threat actors familiar with Oracle EBS.