Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-61881

CVE-2025-61881: Oracle Java VM Auth Bypass Vulnerability

CVE-2025-61881 is an authentication bypass vulnerability in Oracle Java Virtual Machine affecting Database Server versions 19.3-19.28, 21.3-21.19, and 23.4-23.9. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-61881 Overview

CVE-2025-61881 is a network-accessible vulnerability in the Java Virtual Machine (Java VM) component of Oracle Database Server. Oracle disclosed the issue in the October 2025 Critical Patch Update. Affected releases include Oracle Database 19.3-19.28, 21.3-21.19, and 23.4-23.9.

The flaw allows an unauthenticated remote attacker with Oracle Net access to compromise the Java VM. Successful exploitation results in unauthorized creation, deletion, or modification of critical data accessible to the Java VM. The vulnerability maps to [CWE-284: Improper Access Control].

Critical Impact

Unauthenticated network attackers can alter or destroy data managed by the Oracle Database Java VM, undermining data integrity across affected database deployments.

Affected Products

  • Oracle Database Server Java VM 19.3 through 19.28
  • Oracle Database Server Java VM 21.3 through 21.19
  • Oracle Database Server Java VM 23.4 through 23.9

Discovery Timeline

  • 2025-10-21 - Oracle published the vulnerability in the October 2025 Critical Patch Update
  • 2025-10-21 - CVE-2025-61881 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-61881

Vulnerability Analysis

The vulnerability resides in the Java VM component embedded within Oracle Database Server. Oracle's advisory classifies the flaw as difficult to exploit but reachable across the network through the Oracle Net protocol without authentication. The impact is limited to integrity: an attacker cannot read data or induce denial of service through this specific issue, but they can create, modify, or delete data that the Java VM can access.

Because the Java VM executes stored procedures and user-defined code inside the database, integrity compromise here can extend to any object the Java VM interacts with. That includes application schemas, security metadata, and audit records depending on the deployment.

Root Cause

Oracle categorizes the underlying weakness as improper access control ([CWE-284]) within the Java VM subsystem. Access decisions that should restrict operations to authenticated principals fail under specific conditions reachable through Oracle Net, allowing an external caller to invoke integrity-impacting operations without valid credentials. Oracle has not released implementation-level details beyond the Critical Patch Update advisory.

Attack Vector

Exploitation requires network reachability to the Oracle Net listener of a vulnerable database. No user interaction and no prior privileges are required. The high attack complexity indicated by Oracle suggests the attacker must satisfy non-trivial preconditions or timing to trigger the flaw, which reduces mass-exploitation risk but does not eliminate targeted abuse.

Refer to the Oracle Security Alert - October 2025 for authoritative technical guidance.

Detection Methods for CVE-2025-61881

Indicators of Compromise

  • Unexpected CREATE, ALTER, or DROP operations executed through Java stored procedures without corresponding authenticated sessions in DBA_AUDIT_TRAIL or unified audit logs.
  • Anomalous connections to the Oracle Net listener on TCP 1521 (or configured port) originating from untrusted network segments.
  • Java VM invocations from sessions that lack matching authentication events in V$SESSION history.

Detection Strategies

  • Enable Oracle Unified Auditing for Java VM actions and review modifications to application-critical schemas.
  • Correlate listener log entries with database session audit records to identify sessions that reach the Java VM without valid authentication.
  • Compare current patch levels against Oracle's October 2025 CPU baseline using DBA_REGISTRY_SQLPATCH or OPatch lsinventory.

Monitoring Recommendations

  • Alert on integrity-changing DDL and DML issued by Java stored procedures outside approved maintenance windows.
  • Monitor Oracle Net listener connections for spikes from unusual source addresses, particularly from outside the database management network.
  • Track invocations of DBMS_JAVA and Java class loading events for behavior that deviates from application baselines.

How to Mitigate CVE-2025-61881

Immediate Actions Required

  • Apply the October 2025 Oracle Critical Patch Update to all affected 19.x, 21.x, and 23.x Database Server instances.
  • Restrict Oracle Net listener exposure to trusted management networks using firewall rules and Oracle VALID_NODE_CHECKING.
  • Inventory databases that have the Java VM component installed and prioritize patching for internet-adjacent systems.

Patch Information

Oracle addressed CVE-2025-61881 in the October 2025 Critical Patch Update. Administrators must download and apply the appropriate Release Update (RU) or bundle patch for their database version from Oracle Security Alert - October 2025. Verify successful application with SELECT * FROM DBA_REGISTRY_SQLPATCH; after installation.

Workarounds

  • If patching must be delayed, restrict network access to the Oracle Net listener using tcp.invited_nodes in sqlnet.ora to permit only known application hosts.
  • Review and revoke unnecessary EXECUTE privileges on DBMS_JAVA, DBMS_JAVA_TEST, and related Java VM packages from PUBLIC and non-essential roles.
  • Consider removing the Java VM component from databases that do not require it, using Oracle's documented rmjvm.sql procedure after impact analysis.
bash
# Configuration example: restrict Oracle Net access via sqlnet.ora
tcp.validnode_checking = yes
tcp.invited_nodes = (10.0.10.11, 10.0.10.12, appserver.internal)
tcp.excluded_nodes = (0.0.0.0/0)

# Verify patch application after CPU install
sqlplus / as sysdba <<'SQL'
SELECT PATCH_ID, ACTION, STATUS, DESCRIPTION
  FROM DBA_REGISTRY_SQLPATCH
 ORDER BY ACTION_TIME DESC;
SQL

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.