CVE-2025-50105
Published: 15 July 2025
Summary
CVE-2025-50105 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Universal Work Queue. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access, directly preventing unauthorized creation, deletion, modification, and access to critical data due to improper access control in the Work Provider Administration component.
Requires timely identification, reporting, and correction of the specific flaw via Oracle's Critical Patch Update, comprehensively mitigating the vulnerability.
Limits damage from low-privileged attackers by ensuring only minimal authorized accesses necessary for tasks, reducing exploitation impact on critical data.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct network-exploitable improper access control in a public-facing Oracle E-Business Suite web component enabling unauthorized data access and modification.
NVD Description
Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Administration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work…
more
Queue. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Universal Work Queue accessible data as well as unauthorized access to critical data or complete access to all Oracle Universal Work Queue accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Deeper analysisAI
CVE-2025-50105 is a vulnerability in the Oracle Universal Work Queue product, which is part of Oracle E-Business Suite, specifically affecting the Work Provider Administration component. Supported versions impacted by this issue range from 12.2.3 to 12.2.14. The vulnerability is easily exploitable and has a CVSS 3.1 Base Score of 8.1, with impacts on confidentiality and integrity but not availability. The CVSS vector is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), and it is associated with CWE-284 (Improper Access Control).
A low privileged attacker with network access via HTTP can exploit this vulnerability to compromise Oracle Universal Work Queue. Successful exploitation enables unauthorized creation, deletion, or modification of critical data or all data accessible by Oracle Universal Work Queue, as well as unauthorized access to critical data or complete access to all Oracle Universal Work Queue accessible data.
Oracle's Critical Patch Update for July 2025, detailed at https://www.oracle.com/security-alerts/cpujul2025.html, provides information on patches and mitigation steps for this vulnerability.
Details
- CWE(s)