CVE-2025-30724: 
Oracle Analytics Publisher vulnerability analysis and mitigation

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: XML Services). The vulnerability affects supported versions 7.6.0.0.0 and 12.2.1.4.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle BI Publisher. The vulnerability was discovered and reported by Jean-Michel Huguet of NATO Cyber Security Centre (NCSC) and was disclosed on April 15, 2025 (Oracle CPU, NVD).

The vulnerability has been assigned a CVSS 3.1 Base Score of 7.5 (High severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The scoring indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges or user interaction, and primarily impacts confidentiality (NVD).

Successful exploitation of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data. The high confidentiality impact indicates that attackers could potentially access sensitive information stored within the system (NVD).

Oracle has released patches for the affected versions (7.6.0.0.0 and 12.2.1.4.0) as part of the April 2025 Critical Patch Update. Oracle strongly recommends that customers apply the Critical Patch Update patches as soon as possible due to the threat posed by successful attacks (Oracle CPU).