Cyber Resilience

CVE-2025-21511

High

Published: 21 January 2025

Published
21 January 2025
Modified
17 March 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0024 47.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21511 is a high-severity Origin Validation Error (CWE-346) vulnerability in Oracle Jd Edwards Enterpriseone Tools. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2025-21511 is a vulnerability in the Web Runtime SEC component of Oracle JD Edwards EnterpriseOne Tools. Supported versions affected are those prior to 9.2.9.0. The issue, associated with CWE-346, carries a CVSS 3.1 base score of 7.5 (vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), with high confidentiality impact and no integrity or availability effects.

An unauthenticated attacker with network access via HTTP can easily exploit this vulnerability to compromise JD Edwards EnterpriseOne Tools. Successful exploitation allows unauthorized access to critical data or complete access to all data accessible by the product.

Oracle's security advisory at https://www.oracle.com/security-alerts/cpujan2025.html provides details on the vulnerability and mitigation, including patches for affected versions. Organizations should apply the recommended updates to versions 9.2.9.0 and later to address the issue.

EU & UK References

Vulnerability details

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards…

more

EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is in a public-facing web component (Web Runtime SEC of JD Edwards EnterpriseOne Tools) and allows unauthenticated remote attackers to access sensitive data over HTTP, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21515Same product: Oracle Jd Edwards Enterpriseone Tools
CVE-2025-21524Same product: Oracle Jd Edwards Enterpriseone Tools
CVE-2025-21510Same product: Oracle Jd Edwards Enterpriseone Tools
CVE-2025-50105Same vendor: Oracle
CVE-2025-21565Same vendor: Oracle
CVE-2026-46821Same vendor: Oracle
CVE-2025-53037Same vendor: Oracle
CVE-2025-50060Same vendor: Oracle
CVE-2026-46823Same vendor: Oracle
CVE-2026-46839Same vendor: Oracle

Affected Assets

oracle
jd edwards enterpriseone tools
≤ 9.2.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely patching of the Web Runtime SEC vulnerability in JD Edwards EnterpriseOne Tools prior to 9.2.9.0 to eliminate the flaw allowing unauthorized data access.

prevent

Monitors and controls network communications at external boundaries to block unauthenticated HTTP access required to exploit CVE-2025-21511.

detect

Provides continuous monitoring to identify unauthorized network connections and access attempts exploiting the vulnerability for critical data disclosure.

References