SANS Stormcast Tuesday, October 7th, 2025: More About Oracle; Redis Vulnerability; GoAnywhere Exploited

October 06, 2025

Episode Transcript

More Details About Oracle 0-Day
The exploit is now widely distributed and has been analyzed to show the nature of the underlying vulnerabilities.
https://isc.sans.edu/diary/Quick%20and%20Dirty%20Analysis%20of%20Possible%20Oracle%20E-Business%20Suite%20Exploit%20Script%20%28CVE-2025-61882%29%20%5BUPDATED%5B/32346
https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/
Redis Vulnerability
Redis patched a ciritcal use after free vulnerability that could lead to arbitrary code execution.
https://redis.io/blog/security-advisory-cve-2025-49844/
GoAnywhere Bug Exploited
Microsoft is reporting about the exploitation of the recent GoAnywhere vulnerability
https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Tuesday, October 7th, 2025 edition of the SANS Internet Stormcenter's Stormcast. My name is Johannes Ullrich, recording today from Denver, Colorado. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Cybersecurity Leadership. Today, the big topic was still the patch being released by Oracle on Saturday for the Oracle eBusiness Suite. I talked about it already yesterday. Now, there is no new update from Oracle about this, so their advice still counts. Apply the patch released on Saturday in order to be protected against this vulnerability. Now, after recording the podcast yesterday, I found a copy of the exploit script that was referenced in Oracle's write -up. So, this was basically the exploit script recovered from these ransomware attacks. The exploit is quite complex. There's also a great and much more detailed write-up by watchTwer explaining what exactly is going on here. There are actually sort of a couple little exploits that are being used in order to really make everything work. There's like a directory traversal in one spot, for example, in order to make this exploit work without having to authenticate first. But the critical part of the exploit is a server-side request forgery issue using a somewhat interesting and, well, I think a little bit archaic in some ways, technology XSLT. This is essentially sort of style sheets for XML files. And this has been used for server-side request forgery before. The trick here is essentially that as part of an XML file, you can reference an external file that will tell you how to render a particular XML file. And that is sort of requesting that external file is triggering the server-side request forgery vulnerability in this particular case. And then actually a vulnerability and how these particular files are then being applied does lead to the remote code execution. So a very tricky exploit. And I don't think there are a lot of people out there that really understand Oracle eBusinessSuite well enough in order to come up with all the complexities being exploited by this particular exploit. It's not just a simple vulnerability. Of course, with the exploit now being out and widely being distributed, there is a good chance that we have copycats coming up soon. These scripts that were used and posted to VirusTotal and other sites are making exploitation of this vulnerability relatively straightforward. And also, of course, the detailed write-ups like from watchTwer go over some of the intricacies in making this particular exploit chain work. There's another sort of side to this with an exploit like this being released now and being able to actually exploit a vulnerability that before really seeing the entire exploit chain weren't sort of properly accessible. Well, there is a chance that we'll also see additional similar vulnerabilities in the future being exploited just like this one, sort of taking advantage of some of the work done in order to make this exploit work. So definitely keep an eye on your Oracle eBusinessSuite servers and see what you can do in order to better isolate them to make some of these exploit facets here that were being used impossible and blocking, for example, downloads of external files. But Oracle isn't the only one releasing patches. We also got in the last couple days a patch for the Redis in memory database. This patch fixes a use after free vulnerability that could be used for arbitrary code execution. Redis rated this vulnerability with a CVSS score of 10.0, so perfect 10. However, the vulnerability, in order to exploit it, you must have authenticated access. So I would actually think that it should be a couple decimals kind of below 10. Still a critical vulnerability that you must patch quickly and double check what Redis servers you have exploited, exposed to the internet. No exploit available for this as far as I know, but again, it's probably just a matter of a very short time for someone to develop and exploit for this vulnerability. Microsoft published a blog post that a critical go anywhere MFT bug that we talked about two weeks ago is now actively being exploited. So double check that you got the patch applied. If not, assume compromise at this point. Well, and that's it for today. So thanks again for listening and thanks for liking and subscribing to this podcast. And as always, talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show