CVE-2025-21535
Published: 21 January 2025
Summary
CVE-2025-21535 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Weblogic Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of flaws like CVE-2025-21535 through patching Oracle WebLogic Server as per the advisory.
Directly addresses CWE-306 by identifying, documenting, and restricting critical functions performable without authentication in WebLogic Core via T3/IIOP.
Monitors and controls network communications at external boundaries to block unauthenticated access via vulnerable T3 and IIOP protocols.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes unauthenticated remote exploitation of a critical function in a public-facing Oracle WebLogic Server via network protocols (T3/IIOP), directly enabling initial access through exploitation of a public-facing application with full server takeover.
NVD Description
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful…
more
attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Deeper analysisAI
CVE-2025-21535 is a vulnerability in the Core component of Oracle WebLogic Server, which is part of Oracle Fusion Middleware. The supported versions affected are 12.2.1.4.0 and 14.1.1.0.0. It has been assigned CWE-306 (Missing Authentication for Critical Function) and carries a CVSS 3.1 base score of 9.8.
An unauthenticated attacker with network access via the T3 or IIOP protocols can easily exploit this vulnerability to compromise Oracle WebLogic Server. Successful exploitation enables a full takeover of the server, with high impacts to confidentiality, integrity, and availability, as reflected in the CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The Oracle Critical Patch Update advisory provides details on mitigation, available at https://www.oracle.com/security-alerts/cpujan2025.html.
Details
- CWE(s)