CVE-2025-30744
Published: 15 July 2025
Summary
CVE-2025-30744 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Oracle Mobile Field Service. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-30744 by requiring identification, reporting, and correction of the specific flaw in the Multiplatform Sync Errors component via timely patching as advised in the Oracle Critical Patch Update.
Enforces approved authorizations for access to Oracle Mobile Field Service data, directly countering the improper authorization (CWE-863) that allows low-privileged attackers to create, delete, modify, or access critical data.
Limits low-privileged users to only necessary accesses in Oracle Mobile Field Service, reducing the blast radius of unauthorized data operations even if authorization enforcement is bypassed.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Oracle E-Business Suite web component (HTTP-accessible) with improper authorization (CWE-863) directly enables remote exploitation for unauthorized data access and manipulation.
NVD Description
Vulnerability in the Oracle Mobile Field Service product of Oracle E-Business Suite (component: Multiplatform Sync Errors). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Mobile Field…
more
Service. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Mobile Field Service accessible data as well as unauthorized access to critical data or complete access to all Oracle Mobile Field Service accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Deeper analysisAI
CVE-2025-30744 is a vulnerability in the Oracle Mobile Field Service product of Oracle E-Business Suite, specifically affecting the Multiplatform Sync Errors component. Supported versions impacted by this issue range from 12.2.3 to 12.2.13. The vulnerability carries a CVSS 3.1 base score of 8.1, with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, and is associated with CWE-863. It was published on 2025-07-15.
A low-privileged attacker with network access via HTTP can easily exploit this vulnerability to compromise Oracle Mobile Field Service. Successful attacks enable unauthorized creation, deletion, or modification of critical data or all data accessible within Oracle Mobile Field Service, along with unauthorized access to critical data or complete access to all such data. The impacts focus on high confidentiality and integrity effects, with no availability impact.
Mitigation details are provided in the Oracle Critical Patch Update advisory for July 2025, available at https://www.oracle.com/security-alerts/cpujul2025.html.
Details
- CWE(s)