Karl.Fail

Category: vulnerabilities

  • Critical Authorization Flaw in Oracle Agile PLM Framework (CVE-2025-21556)

    Overview

    A critical vulnerability identified as CVE-2025-21556 affects Oracle Agile PLM Framework, a core component of Oracle Supply Chain software. This flaw, located in the Agile Integration Services module, allows a low-privileged attacker with network access via HTTP to fully compromise the system. The vulnerability is categorized under CWE-863: Incorrect Authorization.

    Technical Details

    This vulnerability exists due to improper authorization logic within the Oracle Agile PLM Framework. Exploiting the flaw does not require user interaction and can be performed remotely. Once exploited, the attacker may gain control over the entire Agile PLM environment.

    Although the issue originates in the PLM Framework, successful attacks may impact other integrated Oracle applications, indicating a scope change in the attack surface.

    CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    • Base Score: 9.9 (Critical)
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
    • Confidentiality, Integrity, Availability: High

    Affected Versions

    The vulnerability affects the following version of Oracle Agile PLM Framework:

    • Version 9.3.6

    Mitigation and Recommendations

    Oracle has addressed the issue in its January 2025 Critical Patch Update. Organizations using Agile PLM Framework should:

    • Apply the latest patches immediately.
    • Restrict HTTP access to trusted network sources only.
    • Review authorization policies and configurations across the PLM deployment.
    • Monitor logs for unusual access patterns or privilege escalation attempts.

    Conclusion

    CVE-2025-21556 is a prime example of how flawed authorization mechanisms can expose enterprise software to full system compromise. Given its low complexity and severe impact, remediation should be treated as a high priority by organizations relying on Oracle’s Agile PLM solutions.

  • Critical Windows OLE Remote Code Execution Vulnerability (CVE-2025-21298)

    Overview

    CVE-2025-21298 is a critical vulnerability in Microsoft Windows related to the Object Linking and Embedding (OLE) technology. The flaw enables remote code execution (RCE) through a ‘use-after-free’ condition, classified under CWE-416. This vulnerability impacts a wide range of Windows operating systems and server editions, making it one of the most severe security issues addressed in early 2025.

    Technical Details

    The root cause of this vulnerability lies in improper memory management during the handling of OLE objects. An attacker can exploit a use-after-free error to execute arbitrary code in the context of the user running the affected application. The attack vector is remote and does not require prior authentication or user interaction.

    The vulnerability is identified by the following CVSS v3.1 vector:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    • Base Score: 9.8 (Critical)
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Impact: High on confidentiality, integrity, and availability

    Affected Systems

    This vulnerability affects a broad set of Windows versions, including:

    • Windows 10 (various builds from 1507 to 22H2)
    • Windows 11 (22H2, 23H2, 24H2)
    • Windows Server (2008 SP2, 2012, 2016, 2019, 2022, 2025)

    Mitigation and Recommendations

    • Apply security updates released in the January 2025 Patch Tuesday immediately.
    • Restrict OLE functionality where not needed, especially in environments handling untrusted content.
    • Monitor systems for signs of exploitation, particularly for abnormal memory access patterns or unexpected OLE behaviors.

    Conclusion

    CVE-2025-21298 demonstrates the persistent threat of memory safety vulnerabilities in complex, legacy components like OLE. Organizations must apply updates promptly and evaluate mitigation controls for high-risk environments.

    For more details, see the official Microsoft advisory: MSRC: CVE-2025-21298

  • Critical Remote Takeover Vulnerability in JD Edwards EnterpriseOne Tools (CVE-2025-21524)

    Overview

    CVE-2025-21524 is a critical vulnerability discovered in Oracle’s JD Edwards EnterpriseOne Tools, specifically in the Monitoring and Diagnostics SEC component. This flaw allows unauthenticated attackers with network access via HTTP to completely compromise affected systems.

    Technical Details

    The vulnerability is rooted in missing authentication checks for critical functions, as classified under CWE-306: Missing Authentication for Critical Function. An attacker can exploit the issue by sending crafted HTTP requests to the application without requiring any user credentials or interaction.

    Once exploited, the attacker gains full control over JD Edwards EnterpriseOne Tools, including the ability to manipulate data, access sensitive information, and disrupt business operations through service compromise.

    Severity and CVSS

    The vulnerability has been assessed with a CVSS v3.1 base score of 9.8 (Critical). The associated vector string is:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Confidentiality, Integrity, and Availability Impact: High

    This configuration indicates the vulnerability is easily exploitable and highly impactful, making it an urgent risk for organizations running affected systems.

    Affected Versions

    All versions of JD Edwards EnterpriseOne Tools prior to 9.2.9.0 are impacted by this vulnerability.

    Mitigation and Recommendations

    • Upgrade to version 9.2.9.0 or later immediately.
    • Ensure HTTP access to JD Edwards environments is restricted to trusted networks.
    • Review system logs and configurations for signs of exploitation or abnormal behavior.
    • Conduct a broader security audit of exposure points in JD Edwards deployments.

    Conclusion

    CVE-2025-21524 highlights the dangers of missing authentication mechanisms in critical enterprise software. Oracle has addressed the issue in its January 2025 Critical Patch Update. Organizations using JD Edwards must prioritize this update to protect their environments from full system compromise.

    For official details, refer to Oracle’s advisory: Oracle CPU January 2025

  • Critical Remote Takeover Vulnerability in Oracle WebLogic Server (CVE-2025-21535)

    Overview

    CVE-2025-21535 is a critical vulnerability impacting Oracle WebLogic Server, part of Oracle Fusion Middleware. The flaw allows unauthenticated attackers with network access via T3 or IIOP protocols to fully compromise vulnerable systems without user interaction.

    Technical Details

    This vulnerability resides in the Core component of WebLogic Server and is categorized under CWE-306: Missing Authentication for Critical Function. The issue enables attackers to send specially crafted requests to execute arbitrary operations on the server, resulting in complete system takeover.

    The attack does not require credentials or any user interaction. Exploitation is possible over the network, making this vulnerability especially dangerous in exposed environments or misconfigured systems.

    CVSS Score and Severity

    The vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical). The vector string is:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Impact: High on confidentiality, integrity, and availability

    Affected Versions

    • Oracle WebLogic Server 12.2.1.4.0
    • Oracle WebLogic Server 14.1.1.0.0

    Both versions are vulnerable and require immediate remediation.

    Mitigation and Recommendations

    • Apply the patches provided in Oracle’s January 2025 Critical Patch Update (CPU) without delay.
    • Restrict external access to T3 and IIOP protocols at the network perimeter.
    • Monitor logs for signs of unauthorized access or suspicious activity targeting WebLogic services.

    Conclusion

    CVE-2025-21535 represents a highly exploitable vulnerability with the potential for full remote takeover of WebLogic Server instances. Given the critical nature of this flaw and its network accessibility, organizations using the affected versions must act urgently to secure their systems.

    For more information, consult the official Oracle advisory: Oracle CPU January 2025

  • Critical Vulnerability in Oracle Hospitality OPERA 5 (CVE-2025-21547)

    Overview

    CVE-2025-21547 is a critical vulnerability affecting multiple versions of Oracle Hospitality OPERA 5, specifically within the Opera Servlet component. This flaw allows unauthenticated remote attackers to compromise the system through HTTP, potentially leading to full access to sensitive data or denial-of-service (DoS) conditions.

    Technical Details

    The vulnerability exists in the way OPERA 5 handles HTTP requests within its servlet architecture. An attacker can exploit the flaw without authentication and with minimal complexity, simply by sending specially crafted HTTP requests over the network. The issue allows:

    • Unauthorized access to critical or complete OPERA 5 data
    • Remote execution of requests that can cause service hangs or repeatable crashes (DoS)

    This vulnerability is classified under CWE-400: Uncontrolled Resource Consumption, indicating that it may allow attackers to overwhelm the application’s resources, affecting availability and performance.

    Severity and CVSS

    The vulnerability is rated 9.1 (Critical) on the CVSS v3.1 scale. The CVSS vector is:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Confidentiality Impact: High
    • Availability Impact: High

    Affected Versions

    The following versions of Oracle Hospitality OPERA 5 are affected:

    • 5.6.19.20
    • 5.6.25.8
    • 5.6.26.6
    • 5.6.27.1

    All these versions are susceptible to the vulnerability and require immediate patching.

    Mitigation and Recommendations

    Oracle has released patches as part of its January 2025 Critical Patch Update (CPU). Organizations using affected versions should:

    • Apply the latest Oracle CPU updates without delay.
    • Restrict HTTP access to the OPERA 5 application from untrusted networks.
    • Monitor network traffic and logs for abnormal behavior or exploitation attempts.

    Conclusion

    CVE-2025-21547 underscores the importance of timely patch management and secure application deployment, particularly in the hospitality sector where sensitive data and high availability are critical. Organizations running Oracle Hospitality OPERA 5 should take immediate action to mitigate the risk.

    More information is available in the official Oracle advisory: Oracle CPU January 2025

  • Critical Privilege Escalation in Azure AI Face Service (CVE-2025-21415)

    Overview

    CVE-2025-21415 exposes a critical vulnerability in Microsoft’s Azure AI Face Service, a cloud-based biometric recognition platform. The flaw allows an authorized attacker to bypass authentication through spoofing techniques, resulting in elevation of privilege over the network.

    Technical Details

    This vulnerability is classified under CWE-290: Authentication Bypass by Spoofing. It enables a threat actor with existing access to manipulate the authentication flow, impersonating users or services without proper verification.

    Once successful, the attacker can perform actions with elevated permissions, potentially gaining control over sensitive identity services and AI-powered applications that rely on the Face API. This is particularly concerning in multi-tenant environments and systems integrated with other Azure security mechanisms.

    CVSS Score and Severity

    According to CVSS v3.1, the vulnerability has a base score of 9.9 (Critical). The vector string is:

    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
    • Impact: High on confidentiality, integrity, and availability

    These attributes indicate that the attack is easy to execute, requires minimal privileges, and could have cascading effects across service boundaries.

    Affected Systems

    The vulnerability affects all deployments of the Azure AI Face Service, with no specific versioning due to its nature as a hosted cloud service.

    Mitigation and Recommendations

    • Microsoft has issued updates and mitigations through the Azure platform. Customers should verify that their instance of the Face Service is operating with the latest security patches.
    • Audit access control and authentication logs for anomalies related to identity spoofing or privilege escalation.
    • Ensure strict role-based access controls (RBAC) and multi-factor authentication (MFA) are in place across dependent Azure resources.

    Conclusion

    CVE-2025-21415 is a stark reminder that even cloud-native AI services can be susceptible to privilege escalation via authentication bypass. Organizations using Azure’s Face API should act promptly to secure their deployments and validate trust boundaries within their identity architectures.

    For more details, refer to Microsoft’s official advisory: MSRC: CVE-2025-21415

  • Critical Elevation of Privilege via NTLMv1 in Windows (CVE-2025-21311)

    Overview

    CVE-2025-21311 is a critical vulnerability in Microsoft’s implementation of the NTLM version 1 (NTLMv1) authentication protocol. This flaw permits an attacker to gain elevated privileges through network-based exploitation, impacting various supported versions of Windows, including Windows Server 2025 and Windows 11 24H2.

    Technical Details

    The vulnerability stems from an incorrect implementation of authentication algorithms, categorized under CWE-303: Incorrect Implementation of Authentication Algorithm. Specifically, the use of the outdated and insecure NTLMv1 allows attackers to craft or intercept authentication messages, potentially leading to privilege escalation.

    Unlike its successor NTLMv2, NTLMv1 lacks modern cryptographic protections and is more susceptible to relay attacks and credential manipulation. This vulnerability is especially dangerous in domain environments where NTLM is still supported for backward compatibility.

    CVSS Score and Severity

    This vulnerability has been assessed with a CVSS v3.1 base score of 9.8 (Critical), with the following vector:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Impact: High on confidentiality, integrity, and availability

    This combination indicates that the flaw is easily exploitable and can cause significant harm if leveraged by a malicious actor.

    Affected Systems

    • Windows Server 2025 (x64, Server Core) – Versions before 10.0.26100.2894
    • Windows Server 2022, 23H2 Edition – Versions before 10.0.25398.1369
    • Windows 11 24H2 (ARM64 & x64) – Versions before 10.0.26100.2894

    Mitigation and Recommendations

    Microsoft has addressed this vulnerability in cumulative updates released after January 2025. Organizations should:

    • Ensure systems are updated to the latest security patches.
    • Disable NTLMv1 wherever possible and enforce the use of NTLMv2 or Kerberos for authentication.
    • Audit authentication logs for anomalous NTLM traffic.

    Conclusion

    CVE-2025-21311 highlights the critical risks of legacy protocol support in modern systems. NTLMv1 has long been deprecated, and its continued use poses serious security threats. Organizations must act quickly to update systems and eliminate NTLMv1 reliance to prevent exploitation.

    For more details, refer to the official Microsoft advisory: MSRC: CVE-2025-21311

  • Critical Privilege Escalation in Argo Events via EventSource and Sensor CR (CVE-2025-32445)

    Overview

    CVE-2025-32445 reveals a critical security flaw in Argo Events, an event-driven workflow automation framework for Kubernetes. The vulnerability allows users with limited privileges to escalate access and gain control over the host system and the entire Kubernetes cluster.

    Technical Details

    The issue arises from the way EventSource and Sensor custom resources (CRs) are handled. Users with permission to create or modify these resources can manipulate the spec.template and spec.template.container fields—based on the k8s.io/api/core/v1.Container type.

    This means arbitrary container properties, such as command, args, securityContext, and volumeMount, can be specified. By crafting malicious CRs, an attacker could launch pods with elevated privileges, enabling host-level access and control over the cluster.

    The vulnerability is categorized under CWE-250: Execution with Unnecessary Privileges. It demonstrates how insufficient restriction on customization of Kubernetes resources can expose systems to severe privilege escalation risks.

    Severity and CVSS

    According to the CVSS 3.1 scoring system, this vulnerability has a base score of 10.0 (Critical), indicating maximum severity. The CVSS vector is:

    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
    • Confidentiality, Integrity, Availability: High

    This indicates a low barrier to exploitation with a highly impactful result, making immediate remediation essential.

    Affected Versions

    This vulnerability affects all versions of Argo Events prior to v1.9.6. The issue has been fixed in version 1.9.6, which introduces stricter controls around custom resource specifications.

    Recommendations

    • Upgrade to Argo Events v1.9.6 or later immediately.
    • Review user permissions for EventSource and Sensor CRs to ensure only trusted users can modify them.
    • Audit existing CR definitions for signs of abuse or unexpected configurations.

    Conclusion

    CVE-2025-32445 exemplifies how misconfigured permissions and overly flexible resource definitions in Kubernetes environments can lead to critical privilege escalation. Organizations using Argo Events should treat this vulnerability as a high-priority security concern and act swiftly to secure their clusters.

    More details can be found in the official advisory: GitHub Security Advisory

  • Critical SQL Injection Vulnerability in TCMAN GIM v11 (CVE-2025-40623)

    Overview

    A critical SQL injection vulnerability, identified as CVE-2025-40623, has been discovered in version 11 of TCMAN’s GIM platform. This flaw allows unauthenticated attackers to manipulate database queries, potentially granting access to read, modify, or delete all information stored in the system.

    Technical Details

    The vulnerability stems from improper handling of input within the createNotificationAndroid endpoint. Specifically, the Sender and email parameters do not sanitize user-supplied data before incorporating it into SQL statements. This allows attackers to inject arbitrary SQL commands directly into database queries.

    This issue is categorized under CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’). It represents one of the most dangerous forms of web application vulnerabilities, often leading to full system compromise when exploited.

    Severity and CVSS

    According to CVSS version 4.0, this vulnerability carries a base score of 9.3 (Critical), with the vector string:

    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Impact on Confidentiality, Integrity, and Availability: High

    This combination of characteristics indicates that the vulnerability is easy to exploit and extremely dangerous in scope.

    Affected Software

    The vulnerability affects TCMAN GIM version 11. No other versions were explicitly listed as vulnerable.

    Mitigation and Solution

    The issue has been addressed by the vendor in version 1280 of GIM. Users and administrators are strongly advised to:

    • Update their GIM installation to version 1280 or later.
    • Restrict public access to vulnerable endpoints where possible.
    • Monitor application logs for suspicious activity targeting the createNotificationAndroid API.

    Conclusion

    CVE-2025-40623 highlights the critical risk posed by SQL injection vulnerabilities, especially in systems exposed to the internet. Organizations using TCMAN’s GIM platform should urgently review their deployment and patch any affected instances to protect sensitive data and maintain operational integrity.

    More details can be found in the official advisory by INCIBE: INCIBE CERT Advisory.

  • Critical Sandbox Escape in Google Cloud Application Integration (CVE-2025-0982)

    Overview

    A critical vulnerability identified as CVE-2025-0982 affects the JavaScript Task feature in Google Cloud Application Integration. The flaw allows attackers to escape the sandbox environment and execute arbitrary, unsandboxed code through crafted JavaScript executed by the Rhino engine.

    Technical Details

    This vulnerability is classified under CWE-829: Inclusion of Functionality from Untrusted Control Sphere. It arises from the use of Rhino, an open-source JavaScript engine implemented in Java, which failed to enforce proper sandboxing in Application Integration’s JavaScript Tasks.

    When malicious JavaScript code is injected into the task feature, it can bypass expected security restrictions and interact directly with the underlying system in ways that violate the sandbox boundaries. This functionality bypass is also categorized under CAPEC-554.

    Severity and CVSS Score

    The vulnerability has been assigned a CVSS 4.0 base score of 9.4 (Critical), with the following vector string:

    CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

    • Attack Vector: Network
    • Privileges Required: None
    • User Interaction: None
    • Confidentiality & Integrity Impact: High
    • Availability Impact: None

    Although the attack requires a high level of sophistication, no user interaction or prior privileges are needed, which increases the severity from an exposure perspective.

    Mitigation and Vendor Response

    Google has addressed this issue by deprecating the use of the Rhino engine in Application Integration, effective January 24, 2025. No additional mitigation steps are required, and the transition away from Rhino eliminates the vulnerable component from the platform.

    Recommendations

    • Ensure your environment is not relying on outdated or unsupported JavaScript execution engines like Rhino.
    • Confirm that Application Integration environments have transitioned away from Rhino as per Google’s release notes.
    • Avoid including untrusted code in integration workflows or task definitions, even in sandboxed environments.

    Conclusion

    CVE-2025-0982 demonstrates how deeply integrated third-party engines like Rhino can become a liability when not adequately sandboxed. While Google has acted preemptively by removing support, users must verify that their systems are updated accordingly to avoid lingering exposure.

    For additional details, review the official documentation from Google:

    Release Notes – January 23, 2025