CVE-2025-21535
Published: 21 January 2025
Summary
CVE-2025-21535 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Weblogic Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-7 (Boundary Protection).
Deeper analysis
The vulnerability CVE-2025-21535 resides in the Core component of Oracle WebLogic Server within Oracle Fusion Middleware. It affects supported versions 12.2.1.4.0 and 14.1.1.0.0 and is tracked under CWE-306. The flaw carries a CVSS 3.1 base score of 9.8 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
An unauthenticated attacker with network access via the T3 or IIOP protocols can exploit the issue without requiring user interaction or credentials. Successful exploitation results in full takeover of the Oracle WebLogic Server instance, granting the attacker control over confidentiality, integrity, and availability.
The January 2025 Oracle Critical Patch Update at https://www.oracle.com/security-alerts/cpujan2025.html addresses the vulnerability and supplies mitigation guidance for affected deployments.
EPSS remains low with only minimal movement between its current value of 0.0100 and recorded peak of 0.0119.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2524
Vulnerability details
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful…
more
attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes unauthenticated remote exploitation of a critical function in a public-facing Oracle WebLogic Server via network protocols (T3/IIOP), directly enabling initial access through exploitation of a public-facing application with full server takeover.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely identification, reporting, and correction of flaws like CVE-2025-21535 through patching Oracle WebLogic Server as per the advisory.
Directly addresses CWE-306 by identifying, documenting, and restricting critical functions performable without authentication in WebLogic Core via T3/IIOP.
Monitors and controls network communications at external boundaries to block unauthenticated access via vulnerable T3 and IIOP protocols.