Cyber Resilience

CVE-2015-2590

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 16 July 2015

Published
16 July 2015
Modified
21 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6662 98.6th percentile
Risk Priority 80 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-2590 is a critical-severity an unspecified weakness vulnerability in Redhat Enterprise Linux Eus. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2015-2590 is an unspecified vulnerability affecting the Libraries component of Oracle Java SE versions 6u95, 7u80, and 8u45, as well as Java SE Embedded versions 7u75 and 8u33. It is distinct from CVE-2015-4732 and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors with no required privileges or user interaction.

Remote attackers can exploit the flaw via unknown vectors to impact confidentiality, integrity, and availability on affected systems. The vulnerability allows complete compromise of the targeted Java runtime environment without authentication.

Advisories from OpenSUSE and Red Hat, including RHSA-2015-1228, address the issue through updated Java packages that remediate the Libraries component exposure in supported distributions. No further details on exploitation in the wild or additional mitigations beyond vendor patches are provided in the references.

EU & UK References

Vulnerability details

Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
jdk
1.6.0, 1.7.0, 1.8.0
oracle
jre
1.6.0, 1.7.0, 1.8.0
canonical
ubuntu linux
12.04, 14.04, 15.04
debian
debian linux
7.0, 8.0
suse
linux enterprise debuginfo
11
opensuse
opensuse
13.1, 13.2
suse
linux enterprise desktop
11, 12
suse
linux enterprise server
12
redhat
satellite
5.6, 5.7
redhat
enterprise linux desktop
5.0, 6.0, 7.0
+11 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remediate the Libraries flaw in the listed Java SE/Embedded versions.

prevent

Enforces disabling or removing Java runtime components when not required, eliminating the attack surface for this remote code-execution vulnerability.

preventdetect

Deploys malicious-code detection mechanisms that can block or alert on exploit attempts targeting the unauthenticated Java Libraries vector.

References