CVE-2025-61748 Cert Portal CVE debrief

Who should care

Asset owners and vulnerability managers responsible for Oracle Java SE 21.0.8 or 25, Oracle GraalVM for JDK 21.0.8, and Oracle GraalVM Enterprise Edition 21.3.15. Also relevant to teams operating network-exposed Java APIs/web services and legacy client environments that still rely on sandboxed Java Web Start or applets. Because the supplied source metadata conflicts with the advisory text, procurement, OT/IT asset, and patch teams should verify the affected product mapping before actioning it.

Technical summary

The supplied source text states that the vulnerability affects Oracle Java SE libraries, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. It is rated CVSS 3.1 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N), indicating network access is possible without privileges or user interaction, but exploitation is considered difficult. The stated impact is limited to integrity: unauthorized update, insert, or delete access to some accessible data. The text also says the issue can be reached through component APIs, including via a web service supplying data to those APIs, and may apply to sandboxed Java Web Start/applet deployments that load untrusted code. The source corpus does not provide a resolved Oracle fixed-version list here, and the Siemens-labeled remediation entry appears inconsistent with the Oracle description, so vendor guidance should be confirmed against the linked official advisories.

Defensive priority

Medium if any affected Java libraries are reachable over the network or used by exposed services; otherwise Low. The CVSS score is low, but the attack surface is broad enough to warrant inventory and validation.

Recommended defensive actions

• Inventory Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition deployments and confirm whether the affected versions named in the advisory are present.
• Review Java-facing services, APIs, and web services that accept or process untrusted input from network clients.
• Check whether any legacy Java Web Start or applet-based clients rely on the Java sandbox and run untrusted code.
• Follow the official vendor advisory links for remediation guidance and apply vendor-fixed versions when confirmed.
• Validate the product mapping in your ticketing and CMDB systems, because the supplied source metadata conflicts between Oracle Java/GraalVM content and Siemens SIMATIC product fields.
• Monitor Java-based services for unexpected data changes while remediation is being planned and executed.

Evidence notes

The source item text explicitly says: Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition libraries are affected; supported versions include Oracle Java SE 21.0.8 and 25, Oracle GraalVM for JDK 21.0.8, and Oracle GraalVM Enterprise Edition 21.3.15. It also states the vulnerability is difficult to exploit, network-reachable, unauthenticated, and can lead to unauthorized update/insert/delete access to accessible data. The same source item also carries conflicting vendor/product metadata naming Siemens SIMATIC CN 4100 vers:intdot/<5.0, so the advisory scope should be manually validated before use in remediation workflows. Published 2026-05-12 and modified 2026-05-14 per the supplied timeline.

Official resources