CVE-2025-21515
Published: 21 January 2025
Summary
CVE-2025-21515 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Jd Edwards Enterpriseone Tools. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the specific flaw in the Web Runtime SEC component by applying Oracle's patch to version 9.2.9.0 or later, preventing exploitation leading to takeover.
Ensures timely monitoring and implementation of vendor security alerts like Oracle's Critical Patch Update for January 2025 addressing this CVE.
Vulnerability scanning identifies the affected JD Edwards EnterpriseOne Tools versions prior to 9.2.9.0, enabling remediation before low-privileged network exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in web runtime component allows low-privileged network attacker (HTTP) to achieve full application compromise, directly enabling exploitation of public-facing application.
NVD Description
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD…
more
Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Deeper analysisAI
CVE-2025-21515 is a vulnerability in the Web Runtime SEC component of Oracle JD Edwards EnterpriseOne Tools. Supported versions affected are those prior to 9.2.9.0. The issue, linked to CWE-306, carries a CVSS 3.1 base score of 8.8 (vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impacts to confidentiality, integrity, and availability.
A low-privileged attacker (PR:L) with network access via HTTP can easily exploit this vulnerability without user interaction. Successful exploitation allows compromise of JD Edwards EnterpriseOne Tools, enabling full takeover of the application.
Oracle's Critical Patch Update for January 2025 details mitigation steps, including patches to address the vulnerability in affected versions. Security practitioners should consult https://www.oracle.com/security-alerts/cpujan2025.html and upgrade to version 9.2.9.0 or later.
Details
- CWE(s)