CVE-2025-21535

Critical

Published: 21 January 2025

Published

21 January 2025

Modified

23 June 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0100 77.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Security Summary

CVE-2025-21535 is a vulnerability in the Core component of Oracle WebLogic Server, which is part of Oracle Fusion Middleware. The supported versions affected are 12.2.1.4.0 and 14.1.1.0.0. It has been assigned CWE-306 (Missing Authentication for Critical Function) and carries a CVSS 3.1 base score of 9.8.

An unauthenticated attacker with network access via the T3 or IIOP protocols can easily exploit this vulnerability to compromise Oracle WebLogic Server. Successful exploitation enables a full takeover of the server, with high impacts to confidentiality, integrity, and availability, as reflected in the CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The Oracle Critical Patch Update advisory provides details on mitigation, available at https://www.oracle.com/security-alerts/cpujan2025.html.

Details

CWE(s): CWE-306

Affected Products

oracle

weblogic server

12.2.1.4.0, 14.1.1.0.0

References

https://www.oracle.com/security-alerts/cpujan2025.html
Vendor Advisory · secalert_us@oracle.com