CVE-2025-30743 in Lease and Finance Managementinfo

Summary

by MITRE • 07/15/2025

Vulnerability in the Oracle Lease and Finance Management product of Oracle E-Business Suite (component: Internal Operations). The supported version that is affected is 12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Lease and Finance Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Lease and Finance Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Lease and Finance Management accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/29/2025

This vulnerability resides within Oracle Lease and Finance Management, a critical component of the Oracle E-Business Suite that handles financial operations and lease management processes. The flaw exists in the Internal Operations component and affects version 12.2.13, which represents a widely deployed configuration in enterprise environments. The vulnerability's classification as easily exploitable indicates that attackers require minimal technical expertise and can leverage standard network-based attack vectors through HTTP protocols. This creates a significant risk profile for organizations relying on this financial management system where sensitive lease agreements, financial data, and operational records are processed and stored.

The technical nature of this vulnerability stems from insufficient access controls and authorization mechanisms within the Internal Operations module. Attackers with low privilege levels can exploit this weakness to gain unauthorized access to critical financial data and operational information. The CVSS 3.1 score of 8.1 reflects the high severity of potential impacts, with both confidentiality and integrity compromised at high levels. The vulnerability allows for unauthorized modification, deletion, and creation of data, meaning attackers could potentially alter lease terms, financial records, or operational parameters without detection. The network accessibility via HTTP means that remote exploitation is possible from any location, eliminating the need for physical access or insider knowledge of the internal network structure.

The operational impact of this vulnerability extends beyond simple data compromise, as it directly affects the integrity and availability of critical business operations within financial management systems. Organizations may face significant financial losses, regulatory compliance issues, and operational disruptions when lease agreements and financial records are modified or deleted without authorization. The potential for complete data access means that attackers could access all financial data within the system, including sensitive customer information, contractual terms, and business-critical operational data. This vulnerability could enable attackers to manipulate lease terms, alter financial reporting, or disrupt normal business operations, potentially leading to substantial financial and reputational damage.

Organizations should implement immediate mitigations including network segmentation to limit access to the affected Oracle E-Business Suite components, enforcing strict firewall rules to restrict HTTP access, and applying the vendor-provided patches as soon as they become available. Access controls should be reviewed and strengthened to ensure that only authorized personnel have appropriate privileges within the system. Monitoring and logging mechanisms should be enhanced to detect unauthorized access attempts or data modifications. The vulnerability aligns with CWE-284 (Improper Access Control) and represents a significant risk under ATT&CK framework category TA0006 (Credential Access) and TA0008 (Lateral Movement) as attackers could use this access to move laterally within the network or escalate privileges. Regular security assessments and penetration testing should be conducted to identify similar access control weaknesses in other components of the Oracle E-Business Suite environment.

Responsible

Oracle

Reservation

03/26/2025

Disclosure

07/15/2025

Moderation

accepted

CPE

ready

EPSS

0.00322

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!