Rule Document 1:65455

Report a false positive

Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP Oracle E-Business Suite vulnerable SyncServlet endpoint access attempt

Rule Explanation

This rule looks for inbound requests to the "/OA_HTML/SyncServlet" endpoint on Oracle E-Business Suite web applications. Attackers have been observed targeting this endpoint with an authentication bypass exploit to enable subsequent attacks that allow for remote code execution.

What To Look For

This rule fires on attempts to access the SyncServlet endpoint on Oracle E-Business Suite web applications, which is vulnerable to an authentication bypass vulnerability.

Known Usage

Attacks/Scans seen in the wild

False Positives

Known false positives, with the described conditions

This is an alert-only rule that detects all inbound requests sent to the "/OA_HTML/SyncServlet" endpoint. Network administrators should further investigate any events for suspicious activity. The presence of this event with other Oracle events is a potential indicator of malicious activity.

Contributors

Cisco Talos Intelligence Group

Rule Groups

Rule Categories::Policy::Other

Rule Categories::Server::Oracle

Rule Categories::Server::Web Applications

MITRE::ATT&CK Framework::Enterprise::Initial Access::Exploit Public-Facing Application

CVE

CVE-2025-61882 CVE-2025-61884

Additional Links

www.oracle.com/security-alerts/alert-cve-2025-61882.html
www.oracle.com/security-alerts/alert-cve-2025-61884.html

Rule Vulnerability

N/A

Not Applicable

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.
CVE-2025-61882
 Loading description
CVE-2025-61884
 Loading description