CVE-2025-21492 – This vulnerability in MySQL Server's Optimizer ... (How to Fix)

Q: What is the severity of CVE-2025-21492?

CVE-2025-21492 has a CVSS score of 4.9 (MEDIUM). This vulnerability in MySQL Server's Optimizer component allows high-privileged attackers with network access to cause denial of service by crashing or hanging the server. Affected versions include MySQL 8.0.36 and earlier, plus 8.4.0. The attack requires administrative database privileges but is easily exploitable.

📋 TL;DR

This vulnerability in MySQL Server's Optimizer component allows high-privileged attackers with network access to cause denial of service by crashing or hanging the server. Affected versions include MySQL 8.0.36 and earlier, plus 8.4.0. The attack requires administrative database privileges but is easily exploitable.

💻 Affected Systems

Products:

Oracle MySQL Server

Versions: 8.0.36 and prior, plus 8.4.0

Operating Systems: All platforms running affected MySQL versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires high-privileged database account (admin/root equivalent)

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete unavailability of MySQL Server leading to application downtime and service disruption

🟠

Likely Case

Targeted DoS attacks against MySQL instances by malicious insiders or compromised admin accounts

🟢

If Mitigated

Limited impact due to proper privilege separation and network segmentation

🌐 Internet-Facing: MEDIUM - Attackers need admin credentials but internet exposure increases attack surface

🏢 Internal Only: MEDIUM - Insider threats or lateral movement from compromised accounts pose risk

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Oracle describes as 'easily exploitable' but requires high privileges

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0.37 and later, 8.4.1 and later

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2025.html

Restart Required: Yes

Instructions:

1. Download latest MySQL patch from Oracle. 2. Backup databases. 3. Stop MySQL service. 4. Apply patch. 5. Restart MySQL service. 6. Verify version.

🔧 Temporary Workarounds

Restrict administrative access

all

Limit high-privileged MySQL accounts to trusted networks and users

-- Use MySQL GRANT/REVOKE to restrict admin privileges
-- Configure firewall rules to limit MySQL port access

Network segmentation

linux

Isolate MySQL servers from untrusted networks

iptables -A INPUT -p tcp --dport 3306 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP

🧯 If You Can't Patch

Implement strict access controls and monitor for suspicious admin activity
Deploy MySQL behind application-level proxies with request filtering

🔍 How to Verify

Check if Vulnerable:

Check MySQL version: SELECT VERSION(); If version is 8.0.36 or earlier, or exactly 8.4.0, system is vulnerable

Check Version:

mysql -u root -p -e 'SELECT VERSION();'

Verify Fix Applied:

After patching, verify version is 8.0.37+ or 8.4.1+ using SELECT VERSION();

📡 Detection & Monitoring

Log Indicators:

Unexpected MySQL crashes or hangs
Multiple failed optimizer-related queries from admin accounts
Error logs showing optimizer failures

Network Indicators:

Multiple protocol connections to MySQL from admin accounts followed by service disruption

SIEM Query:

source="mysql_error.log" AND ("crash" OR "hang" OR "optimizer")

📊 Metadata

CVE ID: CVE-2025-21492

CVSS v3 Score: 4.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.2% exploit probability (41.3th percentile)

Published: January 21, 2025

Last Updated: April 9, 2025

🔗 References

https://www.oracle.com/security-alerts/cpujan2025.html Vendor Advisory
https://security.netapp.com/advisory/ntap-20250124-0011/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21492, you might also want to check these: