Cyber Resilience

CVE-2025-21515

High

Published: 21 January 2025

Published
21 January 2025
Modified
17 March 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0095 76.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21515 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Jd Edwards Enterpriseone Tools. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).

Deeper analysis

CVE-2025-21515 is a vulnerability in the Web Runtime SEC component of Oracle JD Edwards EnterpriseOne Tools. It affects versions prior to 9.2.9.0 and carries a CVSS 3.1 base score of 8.8 with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The underlying weakness is categorized under CWE-306.

A low-privileged attacker with network access over HTTP can exploit the flaw without user interaction to fully compromise the product, resulting in complete loss of confidentiality, integrity, and availability and enabling takeover of the JD Edwards EnterpriseOne Tools instance.

The official Oracle advisory at https://www.oracle.com/security-alerts/cpujan2025.html addresses remediation for this issue.

EPSS scores have remained low and essentially flat, with a current value of 0.0095 and a peak of only 0.0101.

EU & UK References

Vulnerability details

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD…

more

Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in web runtime component allows low-privileged network attacker (HTTP) to achieve full application compromise, directly enabling exploitation of public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21524Same product: Oracle Jd Edwards Enterpriseone Tools
CVE-2025-21511Same product: Oracle Jd Edwards Enterpriseone Tools
CVE-2025-21510Same product: Oracle Jd Edwards Enterpriseone Tools
CVE-2025-53072Same vendor: Oracle
CVE-2025-53037Same vendor: Oracle
CVE-2026-34279Same vendor: Oracle
CVE-2025-61757Same vendor: Oracle
CVE-2025-21535Same vendor: Oracle
CVE-2026-34285Same vendor: Oracle
CVE-2026-34275Same vendor: Oracle

Affected Assets

oracle
jd edwards enterpriseone tools
≤ 9.2.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific flaw in the Web Runtime SEC component by applying Oracle's patch to version 9.2.9.0 or later, preventing exploitation leading to takeover.

prevent

Ensures timely monitoring and implementation of vendor security alerts like Oracle's Critical Patch Update for January 2025 addressing this CVE.

detect

Vulnerability scanning identifies the affected JD Edwards EnterpriseOne Tools versions prior to 9.2.9.0, enabling remediation before low-privileged network exploitation.

References