| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.1 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as critical, has been found in Oracle Java SE. The impacted element is an unknown function of the component Hotspot. This manipulation causes improper authentication. This vulnerability appears as CVE-2025-21502. The attack may be initiated remotely. There is no available exploit. It is advisable to upgrade the affected component.
Details
A vulnerability has been found in Oracle Java SE (affected version unknown) and classified as critical. Affected by this vulnerability is an unknown functionality of the component Hotspot. The manipulation with an unknown input leads to a improper authentication vulnerability. The CWE definition for the vulnerability is CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
It is possible to read the advisory at oracle.com. This vulnerability is known as CVE-2025-21502 since 12/25/2024. The exploitation appears to be difficult. The attack can be launched remotely. The exploitation doesn't need any form of authentication. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 10/31/2025).
The vulnerability scanner Nessus provides a plugin with the ID 214446 (Amazon Corretto Java 17.x < 17.0.14.7.1 Vulnerability), which helps to determine the existence of the flaw in a target environment.
Upgrading eliminates this vulnerability.
The vulnerability is also documented in the databases at Tenable (214446) and CERT Bund (WID-SEC-2025-0140). Be aware that VulDB is the high quality source for vulnerability data.
Affected
- Debian Linux
- Amazon Linux 2
- Open Source OpenJDK
- Red Hat Enterprise Linux
- Ubuntu Linux
- SUSE Linux
- Xerox FreeFlow Print Server
- Oracle Linux
- Hitachi Configuration Manager
- SUSE openSUSE
- RESF Rocky Linux
- NetApp ActiveIQ Unified Manager
- IBM App Connect Enterprise
- Azul Zulu
- Dell NetWorker
- Hitachi Command Suite
- Hitachi Ops Center
- Dell Avamar
- Oracle Java SE
- Oracle GraalVM
- HCL BigFix
Product
Type
Vendor
Name
License
Website
- Vendor: https://www.oracle.com
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.2VulDB Meta Temp Score: 5.1
VulDB Base Score: 5.6
VulDB Temp Score: 5.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 4.8
CNA Vector (oracle): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Improper authenticationCWE: CWE-287
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 214446
Nessus Name: Amazon Corretto Java 17.x < 17.0.14.7.1 Vulnerability
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Timeline
12/25/2024 🔍01/21/2025 🔍
01/21/2025 🔍
10/31/2025 🔍
Sources
Vendor: oracle.comAdvisory: oracle.com
Status: Confirmed
CVE: CVE-2025-21502 (🔍)
GCVE (CVE): GCVE-0-2025-21502
GCVE (VulDB): GCVE-100-292783
CERT Bund: WID-SEC-2025-0140 - Oracle Java SE: Mehrere Schwachstellen
Entry
Created: 01/21/2025 22:33Updated: 10/31/2025 15:09
Changes: 01/21/2025 22:33 (64), 01/22/2025 08:09 (2), 01/25/2025 19:32 (1), 10/31/2025 15:09 (7)
Complete: 🔍
Cache ID: 216::103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.