CVE-2025-21511
Published: 21 January 2025
Summary
CVE-2025-21511 is a high-severity Origin Validation Error (CWE-346) vulnerability in Oracle Jd Edwards Enterpriseone Tools. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely patching of the Web Runtime SEC vulnerability in JD Edwards EnterpriseOne Tools prior to 9.2.9.0 to eliminate the flaw allowing unauthorized data access.
Monitors and controls network communications at external boundaries to block unauthenticated HTTP access required to exploit CVE-2025-21511.
Provides continuous monitoring to identify unauthorized network connections and access attempts exploiting the vulnerability for critical data disclosure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is in a public-facing web component (Web Runtime SEC of JD Edwards EnterpriseOne Tools) and allows unauthenticated remote attackers to access sensitive data over HTTP, directly enabling exploitation of public-facing applications.
NVD Description
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards…
more
EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Deeper analysisAI
CVE-2025-21511 is a vulnerability in the Web Runtime SEC component of Oracle JD Edwards EnterpriseOne Tools. Supported versions affected are those prior to 9.2.9.0. The issue, associated with CWE-346, carries a CVSS 3.1 base score of 7.5 (vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), with high confidentiality impact and no integrity or availability effects.
An unauthenticated attacker with network access via HTTP can easily exploit this vulnerability to compromise JD Edwards EnterpriseOne Tools. Successful exploitation allows unauthorized access to critical data or complete access to all data accessible by the product.
Oracle's security advisory at https://www.oracle.com/security-alerts/cpujan2025.html provides details on the vulnerability and mitigation, including patches for affected versions. Organizations should apply the recommended updates to versions 9.2.9.0 and later to address the issue.
Details
- CWE(s)