CVE-2025-21524
published 2025-01-21CVE-2025-21524: Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics SEC). Supported versions that are…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.74%
49.9th percentile
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | jd_edwards_enterpriseone_tools | < 9.2.9.0 | 9.2.9.0 |
| oracle_corporation | jd_edwards_enterpriseone_tools | >= * < 9.2.9.0 | 9.2.9.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability affects JD Edwards EnterpriseOne Tools versions prior to 9.2.9.0, exploitable over HTTP by an unauthenticated remote attacker targeting the Monitoring and Diagnostics SEC component. Detection should focus on anomalous unauthenticated HTTP requests to JD Edwards EnterpriseOne Tools Monitoring and Diagnostics endpoints. ↗
- →Monitor for successful exploitation indicators such as unexpected process execution, privilege escalation, or full system takeover originating from the JD Edwards EnterpriseOne Tools service, consistent with a CVSS 9.8 unauthenticated network attack. ↗
- ·Only JD Edwards EnterpriseOne Tools versions prior to 9.2.9.0 are affected. Patching to 9.2.9.0 or later remediates the vulnerability. ↗
- ·The vulnerability is exploitable with no authentication and no user interaction required (PR:N/UI:N), meaning any network-accessible JD Edwards instance is at risk without additional access controls. ↗
- ·The affected component is specifically the Monitoring and Diagnostics SEC subcomponent of JD Edwards EnterpriseOne Tools, communicated via HTTP. Network segmentation or firewall rules restricting HTTP access to this component can reduce exposure. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_oracle9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle JD Edwards Risk Matrix: Monitoring and Diagnostics SEC — CVE-2025-21524
vendor_oracle·2025-01-15·CVSS 9.8
CVE-2025-21524 [CRITICAL] Oracle Oracle JD Edwards Risk Matrix: Monitoring and Diagnostics SEC — CVE-2025-21524
Oracle Oracle JD Edwards Risk Matrix: Monitoring and Diagnostics SEC vulnerability
CVE: CVE-2025-21524
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2025 (JAN 2025)
GHSA
GHSA-28rx-w98g-gmx7: Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics SEC)
ghsa_unreviewed·2025-01-21
CVE-2025-21524 [CRITICAL] CWE-306 GHSA-28rx-w98g-gmx7: Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics SEC)
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
No detection rules found.
No public exploits indexed.
Qualys
Oracle Critical Patch Update, January 2025 Security Update Review
blogs_qualys·2025-01-23
Oracle Critical Patch Update, January 2025 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle released its first quarterly edition of this year’s Critical Patch Update, which received patches for 318 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In this quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 85 constituting about 27% of the total patches released. Oracle MySQL and Oracle Financial Services Applications followed,
Qualys
Oracle Critical Patch Update, January 2025 Security Update Review | Qualys
blogs_qualys·2025-01-23
Oracle Critical Patch Update, January 2025 Security Update Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle released its first quarterly edition of this year’s Critical Patch Update, which received patches for 318 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In this quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 85 constituting about 27% of the total patches released. Oracle MySQL and Oracle Financial Services Applications fol
2025-01-21
Published