Rule Document 1:65454

Report a false positive

Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP Oracle E-Business Suite TemplatePreview potential remote code execution attempt

Rule Explanation

This rule looks for inbound requests to the "/OA.jsp" endpoint on Oracle E-Business Suite web applications that attempt to invoke the Template Preview functionality. Attackers have been observed targeting this functionality to execute previously uploaded malicious XSL or XML files.

What To Look For

This rule fires on potential remote code execution attempts against Oracle E-Business Suite web applications.

Known Usage

Attacks/Scans seen in the wild

False Positives

Known false positives, with the described conditions

This is an alert-only rule that detects all attempts to invoke the Template Preview functionality on Oracle E-Business Suite web applications. Network administrators should further investigate any events for suspicious activity. The presence of this event with other Oracle events is a potential indicator of malicious activity.

Contributors

Cisco Talos Intelligence Group

Rule Groups

Rule Categories::Policy::Other

Rule Categories::Server::Oracle

Rule Categories::Server::Web Applications

MITRE::ATT&CK Framework::Enterprise::Initial Access::Exploit Public-Facing Application

CVE

CVE-2025-61882 CVE-2025-61884

Additional Links

www.oracle.com/security-alerts/alert-cve-2025-61882.html
www.oracle.com/security-alerts/alert-cve-2025-61884.html

Rule Vulnerability

N/A

Not Applicable

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.
CVE-2025-61882
 Loading description
CVE-2025-61884
 Loading description