Skip to main content

Oracle Java SE CVE-2025-53057

MEDIUM
Improper Access Control (CWE-284)
2025-10-21 secalert_us@oracle.com
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 13:33 vuln.today
CVE Published
Oct 21, 2025 - 20:20 nvd
MEDIUM 5.9

DescriptionCVE.org

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

AnalysisAI

Improper access control in Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition allows unauthenticated remote attackers to create, delete, or modify critical data when APIs in the Security component are exposed via web services or similar mechanisms. The vulnerability affects Java 8u461 through 25 and carries a CVSS 5.9 with high integrity impact, though exploitation is difficult (AC:H) and no public exploit or active KEV status has been confirmed.

Technical ContextAI

This vulnerability resides in the Security component of Oracle Java SE and its GraalVM variants, classified as CWE-284 (Improper Access Control). The flaw allows unauthorized modification of protected resources when Java APIs are invoked through external interfaces such as web services that accept untrusted input. The vulnerability applies to all Java deployment modes: standard server/desktop JVMs, GraalVM distributions, and sandboxed Java Web Start or applet environments. The network-accessible nature (AV:N) suggests the vulnerability can be triggered remotely when Java code processes data from external sources without proper authorization checks.

RemediationAI

Apply the October 2025 Oracle Critical Patch Update (CPU) as documented in https://www.oracle.com/security-alerts/cpuoct2025.html. For Java SE 8, upgrade to version 8u471 or later; Java SE 11 users should update to 11.0.29 or later; Java SE 17 users to 17.0.17 or later; Java SE 21 users to 21.0.9 or later; Java SE 25 users to 25.0.1 or later. GraalVM for JDK users should patch to the next available release. GraalVM Enterprise Edition users should contact Oracle for patched versions beyond 21.3.15. As a compensating control, restrict network access to Java applications and web services that invoke Security component APIs, limiting exposure to trusted internal networks only. Disable Java Web Start and applet functionality in browsers if not strictly required, as sandboxed deployments remain vulnerable until patched. Monitor API call patterns for unusual authorization requests.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/manager/5.0/x86_64/server-attestation:5.0.6.6.33.1 Affected
Container suse/manager/5.0/x86_64/server:5.0.6.7.36.2 Container suse/multi-linux-manager/5.1/x86_64/server:5.1.1.1.8.10.2 Image server-image Affected
Container suse/multi-linux-manager/5.1/x86_64/server-attestation:5.1.1.1.8.12.1 Image server-attestation-image Affected
Container suse/sl-micro/6.0/base-os-container:2.1.3-4.8 Container suse/sl-micro/6.0/toolbox:13.2-9.1 Image SL-Micro Affected
Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Affected

Share

CVE-2025-53057 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy