CVE-2025-21515
Published: 21 January 2025
Summary
CVE-2025-21515 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Jd Edwards Enterpriseone Tools. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).
Deeper analysis
CVE-2025-21515 is a vulnerability in the Web Runtime SEC component of Oracle JD Edwards EnterpriseOne Tools. It affects versions prior to 9.2.9.0 and carries a CVSS 3.1 base score of 8.8 with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The underlying weakness is categorized under CWE-306.
A low-privileged attacker with network access over HTTP can exploit the flaw without user interaction to fully compromise the product, resulting in complete loss of confidentiality, integrity, and availability and enabling takeover of the JD Edwards EnterpriseOne Tools instance.
The official Oracle advisory at https://www.oracle.com/security-alerts/cpujan2025.html addresses remediation for this issue.
EPSS scores have remained low and essentially flat, with a current value of 0.0095 and a peak of only 0.0101.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2504
Vulnerability details
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD…
more
Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in web runtime component allows low-privileged network attacker (HTTP) to achieve full application compromise, directly enabling exploitation of public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the specific flaw in the Web Runtime SEC component by applying Oracle's patch to version 9.2.9.0 or later, preventing exploitation leading to takeover.
Ensures timely monitoring and implementation of vendor security alerts like Oracle's Critical Patch Update for January 2025 addressing this CVE.
Vulnerability scanning identifies the affected JD Edwards EnterpriseOne Tools versions prior to 9.2.9.0, enabling remediation before low-privileged network exploitation.