CVE-2025-21547
Published: 21 January 2025
Summary
CVE-2025-21547 is a critical-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Oracle Hospitality Opera 5. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely identification, reporting, and correction of the Opera Servlet flaw through vendor patching.
Mitigates the uncontrolled resource consumption (CWE-400) leading to hangs, crashes, and complete DoS with high availability impact.
Validates HTTP inputs to the vulnerable servlet, reducing exploitation risk from crafted requests causing unauthorized data access and resource exhaustion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote HTTP access to public-facing servlet directly enables T1190; exploitation causes application hang/crash for DoS, mapping to T1499.004.
NVD Description
Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet). Supported versions that are affected are 5.6.19.20, 5.6.25.8, 5.6.26.6 and 5.6.27.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle…
more
Hospitality OPERA 5. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Hospitality OPERA 5. CVSS 3.1 Base Score 9.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
Deeper analysisAI
CVE-2025-21547 is a vulnerability in the Opera Servlet component of Oracle Hospitality OPERA 5, which is part of Oracle Hospitality Applications. The supported versions affected by this issue are 5.6.19.20, 5.6.25.8, 5.6.26.6, and 5.6.27.1. It is classified under CWE-400 (Uncontrolled Resource Consumption) and carries a CVSS 3.1 base score of 9.1, with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H, emphasizing high impacts on confidentiality and availability.
An unauthenticated attacker with network access via HTTP can easily exploit this vulnerability to compromise Oracle Hospitality OPERA 5. Successful attacks enable unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data, along with the unauthorized ability to cause a hang or frequently repeatable crash, resulting in a complete denial of service.
Mitigation details are provided in the Oracle Critical Patch Update advisory available at https://www.oracle.com/security-alerts/cpujan2025.html, published on 2025-01-21. Security practitioners should consult this advisory for patch information and recommended actions specific to the affected versions.
Details
- CWE(s)