Web Security Weekly: Oracle EBS, Redis & WordPress

This weekly digest highlights the highest-priority web security events from Oct 3–10, 2025: a mass extortion campaign abusing Oracle E-Business Suite, a critical Redis RCE, and active WordPress theme compromises that use stealth delivery techniques. Read on for plain-language explanations, key indicators, and a prioritized action plan your team can run in the next 24–72 hours.

1) Large extortion campaign abusing an Oracle E-Business Suite zero-day (CVE-2025-61882)

What happened: Google Threat Intelligence Group, Mandiant and other vendors tracked a mass extortion campaign claiming data theft from Oracle E-Business Suite (EBS) instances. The issue is tracked as CVE-2025-61882 and is remotely exploitable; attackers sent extortion emails to executives and appear to have done careful reconnaissance. Google and others urged immediate patching and indicators reviews. Google Cloud+1

Why it matters: Oracle EBS is widely used in enterprise back-office systems (finance, procurement, HR). A remotely exploitable RCE in EBS gives attackers a fast path to data exfiltration, lateral movement and high-value extortion. Vulnerable enterprise stacks are attractive to large extortion groups (e.g., CL0P). Oracle+1

Key stats & fact: Oracle released emergency guidance and patches in early October; security teams report the campaign began late September and was actively used to send extortion claims. Google Cloud+1

Immediate actions: apply Oracle’s emergency updates now; search EBS logs for unknown database templates or unusual outbound connections; isolate affected hosts and collect forensic snapshots if compromise is suspected. Oracle

2) Active exploitation: critical authentication-bypass in WordPress “Service Finder” (CVE-2025-5947)

What happened: A critical auth-bypass vulnerability in the Service Finder Bookings plugin / theme (CVE-2025-5947) is being actively exploited to log in as arbitrary users — including admins — and take over sites. Multiple vendors (Wordfence, The Hacker News, Security Affairs) reported exploitation activity and published mitigations. wordfence.com+1

Why it matters: Auth bypass = immediate full-site compromise (PHP uploads, DB export, persistent backdoors). Many WordPress sites run third-party themes/plugins without rapid patching processes. wordfence.com

Key stats & fact: Recent telemetry shows thousands of exploitation attempts since August, with spikes into the tens of thousands on some days (reports cite ~13,800 recorded attempts for recent activity windows). Replace/update vulnerable plugin versions to the patched release. SC Media+1

Immediate actions: update Service Finder plugin/theme to fixed versions (or disable/remove it), rotate admin credentials, enforce MFA, scan for new admin users and web shells, and examine uploads and wp_users for anomalies. wordfence.com+1

3) “RediShell” — critical Redis remote code execution (CVE-2025-49844) — patch now

What happened: A long-standing use-after-free in Redis’ Lua engine (CVE-2025-49844, nicknamed “RediShell”) allows RCE via crafted Lua scripts. Redis Foundation published an advisory and released fixes; several vendors published technical analysis and mitigation guidance. Redis+1

Why it matters: Redis is ubiquitous (caching, session stores, queues). Many deployments expose Redis inadvertently (or don’t enable authentication). CVSS/impact is critical (vendors flagged full host compromise), and the bug reportedly existed in code for over a decade, making weaponization rapid. sysdig.com+1

Immediate actions: apply Redis security updates immediately; ensure Redis is not internet-facing; enable AUTH and bind it to internal interfaces; monitor for unknown Lua scripts, anomalous commands and unexpected crashes. Redis+1

4) SonicWall MySonicWall cloud backup incident — all cloud backups impacted (update)

What happened: SonicWall updated its investigation and concluded an unauthorized party accessed firewall configuration backup files stored in the MySonicWall cloud backup service for all customers who had used that service. The files contained encrypted credentials and configuration that could make targeted exploitation easier. SonicWall provided remediation steps and an “Essential Credential Reset” playbook. SonicWall+1

Why it matters: Firewall configs reveal network topology, rules, VPN credentials and device settings — an excellent intelligence source for follow-on, targeted attacks against affected networks. The exposure is not a simple patch-and-forget; customers must rotate credentials and reconfigure sensitive items. blumira.com+1

Immediate actions: check MySonicWall portal for impacted devices, perform forced credential rotation for any referenced secrets, audit VPN and remote-access settings, and follow SonicWall’s remediation playbook. Network defenders should heighten monitoring for reconnaissance and lateral-movement indicators. blumira.com+1

5) Continuing trend: WordPress “Alone” theme RCE — legacy but still relevant

What happened: The critical file-upload RCE in the “Alone” theme (CVE-2025-5394) was widely exploited in summer 2025; defenders (Wordfence/BleepingComputer) recorded >120k blocked attempts during active campaigns. While the initial frenzy is older, the underlying lesson — unpatched themes remain high-volume targets — remains current. BleepingComputer+1

Why it matters: Attackers reuse known vulnerable themes and plugins; if orgs don’t patch or remove unused themes, they remain easy to compromise. ccb.belgium.be

Immediate actions: audit installed themes/plugins, remove unused ones, update remaining components, and use FIM/WAF to reduce exposure.

Short explanations, stats & interesting facts

  • Exploit windows are measured in hours/days. The Oracle EBS campaign shows attackers rapidly pivot from vulnerability discovery to extortion mails and large-scale scanning — vendors reported activity beginning in late September with emergency responses in early October. Rapid weaponization is now normal for high-value enterprise software. Google Cloud+1
  • Redis bug had long dormancy in code. The RediShell issue was present in code for ~13 years, illustrating how deeply buried memory-corruption bugs can remain and then yield critical consequences when discovered. That increases urgency for rapid patching and network isolation of DB/cache components. sysdig.com
  • WordPress remains a high-volume target because of ecosystem scale. Rough figures: WordPress runs ~40–45% of the web (CMS market dominance), and popular themes/plugins create clustered risk. The Alone theme exploitation blocked >120k attempts; Service Finder saw thousands of daily attempts in recent weeks — these numbers underline scale and automation. BleepingComputer+1
  • Supply-chain & configuration data are gold. SonicWall backups show that even encrypted configuration artifacts can reveal enough context for targeted attacks (VPN endpoints, ACLs, service credentials). Attackers prefer low-effort, high-intelligence gains. SonicWall+1

Practical, prioritized action plan (what you should do now)

Emergency (next 24 hours)

  1. Patch critical CVEs listed above: Oracle EBS (apply Oracle security alert), Redis (CVE-2025-49844), and any WordPress plugins/themes known to be exploited (Service Finder, Alone).
  2. Rotate credentials & MFA: SonicWall customers must rotate any credentials that may have been included in backups; rotate keys and reset passwords for exposed services. Enable MFA on admin consoles.
  3. Isolate internet-facing instances: remove public access to Redis/management consoles; if you cannot patch immediately, block access with ACLs or WAF rules.

Short term (72 hours → 2 weeks)

  1. Hunt for IOCs: search for unusual POSTs to plugin/theme endpoints, new admin users, suspicious uploads (odd MIME types), unexpected Lua scripts in Redis, or outbound connections to unknown domains.
  2. Forensic snapshots: if you suspect compromise, preserve memory, disk and DB snapshots before remediation. This helps legal, insurance and root-cause analysis.
  3. WAF & FIM: enable tuned WAF rules for upload protection and install File Integrity Monitoring with alerts for theme/core file changes.

Operational (2–8 weeks)

  1. Harden deployment pipelines: require staging/approval for plugin/theme installs, scan dependencies, and perform code reviews for third-party components.
  2. Improve asset inventory: map which sites use which themes/plugins, which Redis/DB instances are reachable externally, and which devices use cloud backup features.
  3. Tabletop IR exercises: run scenarios for extortion, web compromise and config-leak follow-on attacks (SonicWall style) to rehearse roles and SLAs.

Useful detection queries (quick examples)

  • Find new admin users in WordPress (MySQL):
SELECT user_login, user_email, user_registered FROM wp_users ORDER BY user_registered DESC LIMIT 50;
  • Search webserver logs for suspicious uploads / installer endpoints:
grep -Ei "upload|installer|theme|plugin|booking" /var/log/nginx/access.log | tail -n 200
  • Check Redis for unexpected Lua scripts (from redis-cli):
redis-cli SCRIPT LIST

(Adapt to your environment and log retention. Preserve evidence before wide searches if you suspect active compromises.)