CVE-2025-50060
Published: 15 July 2025
Summary
CVE-2025-50060 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Bi Publisher. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of flaws like CVE-2025-50060 via patching as detailed in Oracle's Critical Patch Update.
Enforces approved access control policies and procedures, directly addressing the improper access control (CWE-284) enabling unauthorized data creation, deletion, modification, and access.
Limits privileges to the minimum necessary, mitigating the impact of low-privileged (PR:L) attackers exploiting the vulnerability to access or modify critical data.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper access control vulnerability in Oracle BI Publisher web server directly enables remote exploitation of a public-facing application for unauthorized data access and modification.
NVD Description
Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server). Supported versions that are affected are 7.6.0.0.0, 8.2.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle BI Publisher.…
more
Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle BI Publisher accessible data as well as unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Deeper analysisAI
CVE-2025-50060 is a vulnerability in the Web Server component of Oracle BI Publisher, which is part of the Oracle Analytics product. The affected supported versions are 7.6.0.0.0, 8.2.0.0.0, and 12.2.1.4.0. This easily exploitable issue, associated with CWE-284 (Improper Access Control), has a CVSS 3.1 Base Score of 8.1, with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating high confidentiality and integrity impacts but no availability impact.
A low-privileged attacker with network access via HTTP can exploit this vulnerability to compromise Oracle BI Publisher. Successful exploitation allows unauthorized creation, deletion, or modification of critical data or all Oracle BI Publisher accessible data, as well as unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data.
Oracle has addressed this vulnerability in their Critical Patch Update for July 2025, with details available at https://www.oracle.com/security-alerts/cpujul2025.html. Security practitioners should review the advisory for specific patch instructions and apply updates to affected versions promptly.
Details
- CWE(s)