CVE-2025-21549
Published: 21 January 2025
Summary
CVE-2025-21549 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Oracle Weblogic Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 41.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly addressing this WebLogic Server vulnerability by applying patches from the Oracle Critical Patch Update.
SC-5 provides denial-of-service protection that limits the effects of resource exhaustion attacks like this HTTP/2-triggered hang or crash.
SC-6 ensures resource availability by controlling allocation and preventing uncontrolled consumption (CWE-400) that leads to server DoS.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in WebLogic Server allows remote unauthenticated exploitation via HTTP/2 to trigger uncontrolled resource consumption leading to application crash/hang and DoS, directly enabling T1499.004 Application or System Exploitation.
NVD Description
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle WebLogic Server. Successful attacks of…
more
this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Deeper analysisAI
CVE-2025-21549 is a vulnerability in the Core component of Oracle WebLogic Server, which is part of the Oracle Fusion Middleware product. The supported version affected is 14.1.1.0.0. This easily exploitable issue, associated with CWE-400 (Uncontrolled Resource Consumption), enables attackers to compromise the server through HTTP/2 traffic. It has a CVSS 3.1 base score of 7.5, reflecting high availability impact with no effects on confidentiality or integrity, as detailed in the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
An unauthenticated attacker with network access via HTTP/2 can exploit this vulnerability to cause a hang or frequently repeatable crash, resulting in a complete denial of service (DoS) against Oracle WebLogic Server. No privileges, user interaction, or special scope changes are required, making it accessible to remote actors over the network with low complexity.
Mitigation details are provided in the Oracle Critical Patch Update advisory for January 2025, available at https://www.oracle.com/security-alerts/cpujan2025.html.
Details
- CWE(s)