Cyber Posture

CVE-2025-21524

Critical

Published: 21 January 2025

Published
21 January 2025
Modified
17 March 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0118 78.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21524 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Jd Edwards Enterpriseone Tools. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the vulnerability by requiring installation of the Oracle patch for JD Edwards EnterpriseOne Tools prior to version 9.2.9.0.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for logical access, preventing unauthenticated HTTP exploitation of the missing authentication in the Monitoring and Diagnostics SEC component.

SC-7 Boundary Protection good match
prevent

Monitors and controls network communications at boundaries to block unauthenticated attacker access via HTTP to the vulnerable component.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The CVE describes an unauthenticated remote attacker exploiting a public-facing web component (Monitoring and Diagnostics SEC) via HTTP to achieve full system takeover, directly mapping to exploitation of a public-facing application for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD…

more

Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Deeper analysisAI

CVE-2025-21524 is a vulnerability in the Monitoring and Diagnostics SEC component of the JD Edwards EnterpriseOne Tools product from Oracle JD Edwards. Supported versions affected are those prior to 9.2.9.0.

The vulnerability is easily exploitable by an unauthenticated attacker with network access via HTTP. Successful exploitation allows the attacker to compromise JD Edwards EnterpriseOne Tools, resulting in a takeover with high impacts to confidentiality, integrity, and availability. It has a CVSS 3.1 base score of 9.8, with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and is associated with CWE-306.

The Oracle Critical Patch Update for January 2025 provides details on patches and mitigation at https://www.oracle.com/security-alerts/cpujan2025.html.

Details

CWE(s)
CWE-306

Affected Products

oracle
jd edwards enterpriseone tools
≤ 9.2.9.0

CVEs Like This One

CVE-2025-21515Same product: Oracle Jd Edwards Enterpriseone Tools
CVE-2025-21511Same product: Oracle Jd Edwards Enterpriseone Tools
CVE-2025-21510Same product: Oracle Jd Edwards Enterpriseone Tools
CVE-2025-21535Same vendor: Oracle
CVE-2025-61757Same vendor: Oracle
CVE-2025-53037Same vendor: Oracle
CVE-2026-34279Same vendor: Oracle
CVE-2026-21992Same vendor: Oracle
CVE-2026-34275Same vendor: Oracle
CVE-2026-34285Same vendor: Oracle

References