CVE-2025-21524
Published: 21 January 2025
Summary
CVE-2025-21524 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Jd Edwards Enterpriseone Tools. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
The vulnerability CVE-2025-21524 resides in the Monitoring and Diagnostics SEC component of Oracle JD Edwards EnterpriseOne Tools. It affects all supported versions prior to 9.2.9.0 and stems from missing authentication for a critical function, allowing remote compromise over HTTP.
An unauthenticated attacker with network access can exploit the flaw without credentials or user interaction. Successful attacks result in full takeover of the JD Edwards EnterpriseOne Tools instance, with high impact to confidentiality, integrity, and availability as reflected in the CVSS 3.1 base score of 9.8.
The official Oracle advisory published at https://www.oracle.com/security-alerts/cpujan2025.html addresses remediation for this issue in the January 2025 Critical Patch Update.
The associated EPSS score remains flat at 0.0118 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2513
Vulnerability details
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD…
more
Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an unauthenticated remote attacker exploiting a public-facing web component (Monitoring and Diagnostics SEC) via HTTP to achieve full system takeover, directly mapping to exploitation of a public-facing application for initial access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the vulnerability by requiring installation of the Oracle patch for JD Edwards EnterpriseOne Tools prior to version 9.2.9.0.
Enforces approved authorizations for logical access, preventing unauthenticated HTTP exploitation of the missing authentication in the Monitoring and Diagnostics SEC component.
Monitors and controls network communications at boundaries to block unauthenticated attacker access via HTTP to the vulnerable component.