CVE-2025-50067
Published: 15 July 2025
Summary
CVE-2025-50067 is a critical-severity Open Redirect (CWE-601) vulnerability in Oracle Application Express. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-50067 by requiring timely remediation through application of the Oracle Critical Patch Update patch for affected Oracle Application Express versions 24.2.4 and 24.2.5.
Addresses the CWE-601 open redirect vulnerability by enforcing validation of untrusted URL inputs used in redirects within the Strategic Planner Starter App.
Ensures awareness and response to the Oracle security advisory detailing CVE-2025-50067 published in the July 2025 Critical Patch Update.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Open redirect (CWE-601) in a network-accessible web application (Oracle APEX) directly enables remote exploitation of a public-facing app, resulting in full compromise.
NVD Description
Vulnerability in Oracle Application Express (component: Strategic Planner Starter App). Supported versions that are affected are 24.2.4 and 24.2.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Application Express. Successful attacks require human…
more
interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Application Express. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).
Deeper analysisAI
CVE-2025-50067 is a vulnerability in the Strategic Planner Starter App component of Oracle Application Express. The supported versions affected are 24.2.4 and 24.2.5. It has a CVSS 3.1 base score of 9.0 (vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) and is associated with CWE-601. The vulnerability was published on 2025-07-15.
A low-privileged attacker with network access via HTTP can exploit this easily exploitable vulnerability to compromise Oracle Application Express. Exploitation requires human interaction from a person other than the attacker. Successful attacks can result in takeover of Oracle Application Express, with high impacts to confidentiality, integrity, and availability. Although the vulnerability is in Oracle Application Express, the changed scope (S:C) means attacks may significantly impact additional products.
Oracle has published a security advisory for this vulnerability as part of the Critical Patch Update for July 2025, available at https://www.oracle.com/security-alerts/cpujul2025.html. Security practitioners should review the advisory for details on available patches and mitigation recommendations.
Details
- CWE(s)