CVE-2025-21532
Published: 21 January 2025
Summary
CVE-2025-21532 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Oracle Analytics Desktop. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 38.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the flaw in the Oracle Analytics Desktop Install component through patching to version 8.1.0 or later, preventing low-privileged local exploitation.
Mandates receiving and acting on Oracle's Critical Patch Update advisory for this vulnerability, enabling prompt application of the fix.
Enforces least privilege to restrict low-privileged local users from accessing or exploiting the vulnerable Install component, limiting escalation potential.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The local privilege escalation vulnerability (CWE-276, low-priv local access to full product compromise) directly enables exploitation for privilege escalation.
NVD Description
Vulnerability in the Oracle Analytics Desktop product of Oracle Analytics (component: Install). Supported versions that are affected are Prior to 8.1.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Analytics Desktop executes to compromise…
more
Oracle Analytics Desktop. Successful attacks of this vulnerability can result in takeover of Oracle Analytics Desktop. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Deeper analysisAI
CVE-2025-21532 is a vulnerability in the Install component of Oracle Analytics Desktop, which is part of the Oracle Analytics product. Supported versions affected by this issue are those prior to 8.1.0. The vulnerability carries a CVSS 3.1 base score of 7.8, with the vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impacts to confidentiality, integrity, and availability. It is associated with CWE-276.
A low-privileged attacker with logon access to the infrastructure where Oracle Analytics Desktop executes can exploit this easily exploitable vulnerability to fully compromise the product. Successful attacks enable takeover of Oracle Analytics Desktop, allowing the attacker to read, modify, or delete data, as well as deny access to the service.
Oracle has published details in its Critical Patch Update advisory at https://www.oracle.com/security-alerts/cpujan2025.html, published on 2025-01-21. Systems prior to version 8.1.0 should be upgraded to mitigate the vulnerability.
Details
- CWE(s)