Cyber Resilience

CVE-2025-21524

Critical

Published: 21 January 2025

Published
21 January 2025
Modified
17 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0118 79.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21524 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Jd Edwards Enterpriseone Tools. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

The vulnerability CVE-2025-21524 resides in the Monitoring and Diagnostics SEC component of Oracle JD Edwards EnterpriseOne Tools. It affects all supported versions prior to 9.2.9.0 and stems from missing authentication for a critical function, allowing remote compromise over HTTP.

An unauthenticated attacker with network access can exploit the flaw without credentials or user interaction. Successful attacks result in full takeover of the JD Edwards EnterpriseOne Tools instance, with high impact to confidentiality, integrity, and availability as reflected in the CVSS 3.1 base score of 9.8.

The official Oracle advisory published at https://www.oracle.com/security-alerts/cpujan2025.html addresses remediation for this issue in the January 2025 Critical Patch Update.

The associated EPSS score remains flat at 0.0118 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD…

more

Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes an unauthenticated remote attacker exploiting a public-facing web component (Monitoring and Diagnostics SEC) via HTTP to achieve full system takeover, directly mapping to exploitation of a public-facing application for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21515Same product: Oracle Jd Edwards Enterpriseone Tools
CVE-2025-21511Same product: Oracle Jd Edwards Enterpriseone Tools
CVE-2025-21510Same product: Oracle Jd Edwards Enterpriseone Tools
CVE-2025-53072Same vendor: Oracle
CVE-2025-53037Same vendor: Oracle
CVE-2026-34279Same vendor: Oracle
CVE-2025-61757Same vendor: Oracle
CVE-2025-21535Same vendor: Oracle
CVE-2026-34285Same vendor: Oracle
CVE-2026-34275Same vendor: Oracle

Affected Assets

oracle
jd edwards enterpriseone tools
≤ 9.2.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the vulnerability by requiring installation of the Oracle patch for JD Edwards EnterpriseOne Tools prior to version 9.2.9.0.

prevent

Enforces approved authorizations for logical access, preventing unauthenticated HTTP exploitation of the missing authentication in the Monitoring and Diagnostics SEC component.

prevent

Monitors and controls network communications at boundaries to block unauthenticated attacker access via HTTP to the vulnerable component.

References