Cyber Resilience

CVE-2025-21535

Critical

Published: 21 January 2025

Published
21 January 2025
Modified
23 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0100 77.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21535 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Weblogic Server. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-7 (Boundary Protection).

Deeper analysis

The vulnerability CVE-2025-21535 resides in the Core component of Oracle WebLogic Server within Oracle Fusion Middleware. It affects supported versions 12.2.1.4.0 and 14.1.1.0.0 and is tracked under CWE-306. The flaw carries a CVSS 3.1 base score of 9.8 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

An unauthenticated attacker with network access via the T3 or IIOP protocols can exploit the issue without requiring user interaction or credentials. Successful exploitation results in full takeover of the Oracle WebLogic Server instance, granting the attacker control over confidentiality, integrity, and availability.

The January 2025 Oracle Critical Patch Update at https://www.oracle.com/security-alerts/cpujan2025.html addresses the vulnerability and supplies mitigation guidance for affected deployments.

EPSS remains low with only minimal movement between its current value of 0.0100 and recorded peak of 0.0119.

EU & UK References

Vulnerability details

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful…

more

attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes unauthenticated remote exploitation of a critical function in a public-facing Oracle WebLogic Server via network protocols (T3/IIOP), directly enabling initial access through exploitation of a public-facing application with full server takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34305Same product: Oracle Weblogic Server
CVE-2025-21515Same vendor: Oracle
CVE-2025-21524Same vendor: Oracle
CVE-2025-53072Same vendor: Oracle
CVE-2025-53037Same vendor: Oracle
CVE-2026-34279Same vendor: Oracle
CVE-2025-21549Same product: Oracle Weblogic Server
CVE-2025-61757Same vendor: Oracle
CVE-2026-34285Same vendor: Oracle
CVE-2026-34275Same vendor: Oracle

Affected Assets

oracle
weblogic server
12.2.1.4.0, 14.1.1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and correction of flaws like CVE-2025-21535 through patching Oracle WebLogic Server as per the advisory.

prevent

Directly addresses CWE-306 by identifying, documenting, and restricting critical functions performable without authentication in WebLogic Core via T3/IIOP.

prevent

Monitors and controls network communications at external boundaries to block unauthenticated access via vulnerable T3 and IIOP protocols.

References