Cyber Resilience

CVE-2025-50067

Critical

Published: 15 July 2025

Published
15 July 2025
Modified
24 July 2025
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0049 65.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-50067 is a critical-severity Open Redirect (CWE-601) vulnerability in Oracle Application Express. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-50067 is a vulnerability in the Strategic Planner Starter App component of Oracle Application Express. The supported versions affected are 24.2.4 and 24.2.5. It has a CVSS 3.1 base score of 9.0 (vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) and is associated with CWE-601. The vulnerability was published on 2025-07-15.

A low-privileged attacker with network access via HTTP can exploit this easily exploitable vulnerability to compromise Oracle Application Express. Exploitation requires human interaction from a person other than the attacker. Successful attacks can result in takeover of Oracle Application Express, with high impacts to confidentiality, integrity, and availability. Although the vulnerability is in Oracle Application Express, the changed scope (S:C) means attacks may significantly impact additional products.

Oracle has published a security advisory for this vulnerability as part of the Critical Patch Update for July 2025, available at https://www.oracle.com/security-alerts/cpujul2025.html. Security practitioners should review the advisory for details on available patches and mitigation recommendations.

EU & UK References

Vulnerability details

Vulnerability in Oracle Application Express (component: Strategic Planner Starter App). Supported versions that are affected are 24.2.4 and 24.2.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Application Express. Successful attacks require human…

more

interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Application Express. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Open redirect (CWE-601) in a network-accessible web application (Oracle APEX) directly enables remote exploitation of a public-facing app, resulting in full compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-50105Same vendor: Oracle
CVE-2025-21565Same vendor: Oracle
CVE-2026-46821Same vendor: Oracle
CVE-2025-53037Same vendor: Oracle
CVE-2025-50060Same vendor: Oracle
CVE-2026-46823Same vendor: Oracle
CVE-2026-46839Same vendor: Oracle
CVE-2026-46819Same vendor: Oracle
CVE-2026-34310Same vendor: Oracle
CVE-2026-34297Same vendor: Oracle

Affected Assets

oracle
application express
24.2.4, 24.2.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2025-50067 by requiring timely remediation through application of the Oracle Critical Patch Update patch for affected Oracle Application Express versions 24.2.4 and 24.2.5.

prevent

Addresses the CWE-601 open redirect vulnerability by enforcing validation of untrusted URL inputs used in redirects within the Strategic Planner Starter App.

detect

Ensures awareness and response to the Oracle security advisory detailing CVE-2025-50067 published in the July 2025 Critical Patch Update.

References