Zero-Day Roundup: GoAnywhere CVE-2025-10035, Oracle E-Business Suite CVE-2025-61882, and Cisco’s “Hidden Text Salting”

by

RedSecNinja
in , ,

Updated: October 7, 2025 • Audience: CISOs, SOC leads, vuln management, email security teams

TL;DR

  • GoAnywhere MFT (CVE-2025-10035): critical deserialization bug (CVSS 10) in the License Servlet; Microsoft reports active exploitation tied to Storm-1175/Medusa. Patch to 7.8.4 (or Sustain 7.6.3) and restrict public exposure.
  • Oracle E-Business Suite (CVE-2025-61882): unauthenticated RCE (CVSS 9.8) in Concurrent Processing (BI Publisher Integration) hitting 12.2.3–12.2.14; Oracle shipped an out-of-band fix amid mass exploitation/extortion.
  • Cisco/Talos “hidden text salting”: an email-evasion technique (not a CVE) abusing CSS/HTML to hide words/characters and confuse detection (incl. language models). Normalize/strip hidden content before analysis.

Fortra GoAnywhere MFT — CVE-2025-10035 (actively exploited)

Microsoft observed Storm‑1175 exploiting CVE‑2025‑10035, a critical deserialization flaw in GoAnywhere’s License Servlet that can lead to command injection and RCE, particularly on internet-exposed Admin Consoles. Fortra’s advisory confirms the weakness, provides a tell-tale log string (SignedObject.getObject) for triage, and directs customers to upgrade to 7.8.4 (or Sustain 7.6.3). Fortra also explicitly urges ensuring the Admin Console is not publicly reachable. CISA has added the CVE to KEV with a remediation due date for U.S. agencies.

What this means: Treat this as an emergency patch + hunt event (particularly if your instance was exposed pre-patch).

Oracle E-Business Suite — CVE-2025-61882 (pre-auth RCE; extortion in the wild)

Oracle issued a Security Alert for CVE-2025-61882 affecting EBS 12.2.3–12.2.14, rating it 9.8 (RCE, no auth required over HTTP). Oracle emphasizes applying the alert promptly (note the October 2023 CPU is a prerequisite), and published IOCs in the advisory. Multiple vendors and media report mass exploitation/extortion leveraging this bug; CrowdStrike and others link activity to Cl0p/Graceful Spider with early exploitation noted in August/September. Oracle and several outlets highlight the campaign’s scale and urgency.

What this means: If you run EBS in the affected range, schedule emergency downtime to apply the fix and reduce internet exposure immediately until fully remediated.

Cisco/Talos: “Hidden Text Salting” in phishing (CSS abuse, not a product vuln)

Cisco Talos documents widespread abuse of CSS/HTML to hide words, characters, and paragraphs (“salt”) so that the raw HTML text differs from what humans see—confusing keyword filters, language detection, and even small LLM-based classifiers. Talos details where salt appears (preheader, header, attachments, body) and how it’s hidden (e.g., font-size:0, opacity:0, display:none, zero-width characters).

What this means: This is a detection-evasion technique, not a vendor bug—defenders must normalize content and tune detections accordingly.

High-Level Remediation & Mitigation

Cross-cutting actions (apply to GoAnywhere + Oracle + email defenses)

  • Patch on expedited timelines and remove public exposure of admin/UIs until fully fixed. Both vendors stress urgency and limiting internet exposure.
  • Threat hunt now around suspected activity windows: check web access logs, admin/audit logs, new users, JSP/web shell artifacts, unusual outbound connections and remote management tool drops.
  • Credential/key rotation post-remediation (accounts, tokens, keys) on impacted systems.
  • Network controls: restrict management plane by IP/VPN; enforce strict WAF rules on app endpoints; monitor egress.
  • Backups & IR readiness: validate offline/immutable backups and rehearse restore steps.

GoAnywhere MFT (CVE-2025-10035)

  1. Upgrade immediately to 7.8.4 (or Sustain 7.6.3).
  2. Take the Admin Console off the public internet while you patch; keep it behind VPN or allow-listed IPs.
  3. Hunt indicators: search for SignedObject.getObject in logs, JSP file drops in app dirs, and RMM tooling (e.g., SimpleHelp/MeshAgent) noted by Microsoft.
  4. Validate post-patch: review Admin Audit logs and compare file integrity on GoAnywhere directories.

Oracle E-Business Suite (CVE-2025-61882)

  1. Apply the Security Alert patch (affects 12.2.3–12.2.14); ensure the October 2023 CPU prerequisite is met.
  2. Reduce attack surface: block direct internet access to EBS where feasible; front with reverse-proxy/WAF and strict request validation.
  3. Hunt indicators & abuse paths: review activity around Concurrent Processing / BI Publisher Integration; monitor for suspicious job submissions and anomalous HTTP requests.
  4. Monitor exfil: watch for staging paths and unusual outbound traffic that may indicate data theft.

Email-borne evasion: “Hidden Text Salting”

  1. Normalize before analysis: strip/flatten HTML/CSS (remove or reveal text hidden via font-size:0, opacity:0, display:none, zero-width chars) before keyword/ML scans.
  2. Detection heuristics: alert on mismatch between visible vs. raw text length and suspicious inline styles; add rules for zero-width characters often used for brand poisoning.
  3. User safety basics: disable auto-loading of remote content; keep rapid-report buttons prominent.
  4. Pipeline QA: regression-test your filters against Talos’ examples to ensure parsers aren’t being “salted.”

References (primary sources)

Updated: October 7, 2025 • Audience: CISOs, SOC leads, vuln management, email security teams

TL;DR

Cisco/Talos “hidden text salting”: an email-evasion technique (not a CVE) abusing CSS/HTML to hide words/characters and confuse detection (incl. language models). Normalize/strip hidden content before analysis.

GoAnywhere MFT (CVE-2025-10035): critical deserialization bug (CVSS 10) in the License Servlet; Microsoft reports active exploitation tied to Storm-1175/Medusa. Patch to 7.8.4 (or Sustain 7.6.3) and restrict public exposure.

Oracle E-Business Suite (CVE-2025-61882): unauthenticated RCE (CVSS 9.8) in Concurrent Processing (BI Publisher Integration) hitting 12.2.3–12.2.14; Oracle shipped an out-of-band fix amid mass exploitation/extortion.

Microsoft Threat Intelligence — Investigating active exploitation of CVE-2025-10035 (GoAnywhere MFT).

Fortra — FI-2025-012: Deserialization Vulnerability in GoAnywhere MFT’s License Servlet.

NVD — CVE-2025-10035 (CISA KEV, affected versions, CVSS 10).

Oracle — Security Alert Advisory: CVE-2025-61882 (E-Business Suite).

TechRadar Pro — Oracle forced to rush out patch for zero-day exploited in attacks.

CrowdStrike — Identifies Campaign Targeting Oracle E-Business Suite via Zero-Day (CVE-2025-61882).

The Hacker News — Oracle EBS Under Fire as Cl0p Exploits CVE-2025-61882.

Reuters — Oracle says hackers are trying to extort its customers.

Comments

Leave a comment