CVE-2025-21524

Critical

Published: 21 January 2025

Published

21 January 2025

Modified

17 March 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0118 78.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Security Summary

CVE-2025-21524 is a vulnerability in the Monitoring and Diagnostics SEC component of the JD Edwards EnterpriseOne Tools product from Oracle JD Edwards. Supported versions affected are those prior to 9.2.9.0.

The vulnerability is easily exploitable by an unauthenticated attacker with network access via HTTP. Successful exploitation allows the attacker to compromise JD Edwards EnterpriseOne Tools, resulting in a takeover with high impacts to confidentiality, integrity, and availability. It has a CVSS 3.1 base score of 9.8, with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and is associated with CWE-306.

The Oracle Critical Patch Update for January 2025 provides details on patches and mitigation at https://www.oracle.com/security-alerts/cpujan2025.html.

Details

CWE(s): CWE-306

Affected Products

oracle

jd edwards enterpriseone tools

≤ 9.2.9.0

References

https://www.oracle.com/security-alerts/cpujan2025.html
Vendor Advisory · secalert_us@oracle.com