Login Sign Up

CVE-2025-21547

9.1 CRITICAL
Denial of Service

📋 TL;DR

This vulnerability in Oracle Hospitality OPERA 5 allows unauthenticated attackers with network access via HTTP to access sensitive data or cause denial of service. Affected systems include OPERA 5 versions 5.6.19.20, 5.6.25.8, 5.6.26.6, and 5.6.27.1.

💻 Affected Systems

Products:
  • Oracle Hospitality OPERA 5
Versions: 5.6.19.20, 5.6.25.8, 5.6.26.6, 5.6.27.1
Operating Systems: Not specified - likely multiple
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the Opera Servlet component specifically

📦 What is this software?

Hospitality Opera 5 by Oracle

View all CVEs affecting Hospitality Opera 5 →

Hospitality Opera 5 by Oracle

View all CVEs affecting Hospitality Opera 5 →

Hospitality Opera 5 by Oracle

View all CVEs affecting Hospitality Opera 5 →

Hospitality Opera 5 by Oracle

View all CVEs affecting Hospitality Opera 5 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all OPERA 5 accessible data and complete system crash causing extended downtime

🟠

Likely Case

Unauthorized access to sensitive guest and operational data followed by service disruption

🟢

If Mitigated

Limited impact if network segmentation and access controls prevent HTTP access from untrusted networks

🌐 Internet-Facing: HIGH - Unauthenticated HTTP access makes internet-facing systems extremely vulnerable
🏢 Internal Only: HIGH - Even internal systems are vulnerable to any network-connected attacker

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

CVSS indicates 'easily exploitable' with no authentication required

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Oracle's January 2025 Critical Patch Update for specific fixed versions

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2025.html

Restart Required: Yes

Instructions:

1. Review Oracle's January 2025 Critical Patch Update advisory 2. Apply the appropriate patch for your OPERA 5 version 3. Restart the OPERA 5 service 4. Verify the patch was successfully applied

🔧 Temporary Workarounds

Network Segmentation

all

Restrict HTTP access to OPERA 5 to only trusted networks and IP addresses

Web Application Firewall

all

Deploy WAF with rules to block suspicious HTTP requests to OPERA 5 endpoints

🧯 If You Can't Patch

  • Implement strict network access controls to limit HTTP access to OPERA 5
  • Monitor for unusual HTTP traffic patterns and failed authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check OPERA 5 version against affected versions list

Check Version:

Check OPERA 5 administration interface or configuration files for version information

Verify Fix Applied:

Verify version is updated beyond affected versions and test HTTP functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to Opera Servlet endpoints
  • Multiple failed authentication attempts
  • System crash or hang events

Network Indicators:

  • Unusual HTTP traffic patterns to OPERA 5 ports
  • Requests from unexpected source IPs

SIEM Query:

source="opera5" AND (http.status=500 OR http.method=POST AND http.uri contains "/servlet")

📊 Metadata

CVE ID: CVE-2025-21547
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-400
EPSS Score: 0.32% exploit probability (54.5th percentile)
Published: January 21, 2025
Last Updated: June 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21547, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)