CVE-2025-30743
Published: 15 July 2025
Summary
CVE-2025-30743 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Oracle Lease And Finance Management. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the specific authorization flaw in Oracle Lease and Finance Management through patching as advised in the Critical Patch Update.
Ensures the system enforces approved access authorizations, preventing low-privileged attackers from gaining unauthorized create, delete, modify, or read access to critical data due to incorrect authorization (CWE-863).
Enforces least privilege to limit the scope of access and actions available to low-privileged users, reducing the potential impact of the authorization bypass vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect authorization (CWE-863) in a network-accessible Oracle E-Business Suite web component directly enables remote exploitation of a public-facing application to achieve unauthorized data access and modification.
NVD Description
Vulnerability in the Oracle Lease and Finance Management product of Oracle E-Business Suite (component: Internal Operations). The supported version that is affected is 12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Lease…
more
and Finance Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Lease and Finance Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Lease and Finance Management accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Deeper analysisAI
CVE-2025-30743 is a vulnerability in the Oracle Lease and Finance Management product, which is part of Oracle E-Business Suite, specifically affecting the Internal Operations component. The supported version impacted is 12.2.13. It is classified under CWE-863 (Incorrect Authorization) and carries a CVSS 3.1 Base Score of 8.1 (High), with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating high confidentiality and integrity impacts but no availability impact. The vulnerability was published on 2025-07-15.
A low-privileged attacker with network access via HTTP can easily exploit this vulnerability to compromise Oracle Lease and Finance Management. Successful exploitation allows unauthorized creation, deletion, or modification of critical data or all data accessible by the product, as well as unauthorized access to critical data or complete access to all Oracle Lease and Finance Management accessible data.
The Oracle Critical Patch Update for July 2025 provides details on mitigation, including recommended patches, as outlined in the advisory at https://www.oracle.com/security-alerts/cpujul2025.html. Security practitioners should apply these updates promptly to affected Oracle E-Business Suite deployments.
Details
- CWE(s)