Cyber Resilience

CVE-2025-30743

High

Published: 15 July 2025

Published
15 July 2025
Modified
29 July 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0040 60.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30743 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Oracle Lease And Finance Management. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-30743 is a vulnerability in the Oracle Lease and Finance Management product, which is part of Oracle E-Business Suite, specifically affecting the Internal Operations component. The supported version impacted is 12.2.13. It is classified under CWE-863 (Incorrect Authorization) and carries a CVSS 3.1 Base Score of 8.1 (High), with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating high confidentiality and integrity impacts but no availability impact. The vulnerability was published on 2025-07-15.

A low-privileged attacker with network access via HTTP can easily exploit this vulnerability to compromise Oracle Lease and Finance Management. Successful exploitation allows unauthorized creation, deletion, or modification of critical data or all data accessible by the product, as well as unauthorized access to critical data or complete access to all Oracle Lease and Finance Management accessible data.

The Oracle Critical Patch Update for July 2025 provides details on mitigation, including recommended patches, as outlined in the advisory at https://www.oracle.com/security-alerts/cpujul2025.html. Security practitioners should apply these updates promptly to affected Oracle E-Business Suite deployments.

EU & UK References

Vulnerability details

Vulnerability in the Oracle Lease and Finance Management product of Oracle E-Business Suite (component: Internal Operations). The supported version that is affected is 12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Lease…

more

and Finance Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Lease and Finance Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Lease and Finance Management accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Incorrect authorization (CWE-863) in a network-accessible Oracle E-Business Suite web component directly enables remote exploitation of a public-facing application to achieve unauthorized data access and modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-46823Same vendor: Oracle
CVE-2025-21565Same vendor: Oracle
CVE-2025-30744Same vendor: Oracle
CVE-2025-30751Same vendor: Oracle
CVE-2025-21556Same vendor: Oracle
CVE-2025-21506Same vendor: Oracle
CVE-2025-21516Same vendor: Oracle
CVE-2026-46839Same vendor: Oracle
CVE-2025-21515Same vendor: Oracle
CVE-2026-46775Same vendor: Oracle

Affected Assets

oracle
lease and finance management
12.2.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation of the specific authorization flaw in Oracle Lease and Finance Management through patching as advised in the Critical Patch Update.

prevent

Ensures the system enforces approved access authorizations, preventing low-privileged attackers from gaining unauthorized create, delete, modify, or read access to critical data due to incorrect authorization (CWE-863).

prevent

Enforces least privilege to limit the scope of access and actions available to low-privileged users, reducing the potential impact of the authorization bypass vulnerability.

References