CVE-2025-21587 is a vulnerability in the Java Secure Socket Extension (JSSE) component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. It affects multiple supported versions including Java SE 8u441, 11.0.26, 17.0.14, 21.0.6, and 24, as well as GraalVM versions 17.0.14, 21.0.6, 24, and GraalVM Enterprise Edition 20.3.17 and 21.3.13. The flaw allows an unauthenticated attacker with network access to exploit APIs exposed via multiple protocols, potentially through web services that supply data to these APIs. The vulnerability can also be exploited in client-side Java deployments that run sandboxed Java Web Start applications or applets loading untrusted code, relying on the Java sandbox for security. Exploitation can result in unauthorized creation, deletion, or modification of critical data or complete access to all data accessible by the affected Java platforms. The attack complexity is high, meaning exploitation requires specific conditions or expertise, and no user interaction or privileges are needed. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) indicates network attack vector, high attack complexity, no privileges or user interaction required, unchanged scope, and high confidentiality and integrity impacts without affecting availability. This vulnerability corresponds to CWE-284 (Improper Access Control). No patches were listed at the time of publication, and no known exploits have been observed in the wild, but the potential impact is significant given the widespread use of Oracle Java SE and GraalVM in enterprise environments.

The vulnerability poses a significant risk to organizations worldwide that rely on Oracle Java SE and GraalVM platforms for critical applications and services. Successful exploitation can lead to unauthorized access and manipulation of sensitive data, potentially compromising the confidentiality and integrity of enterprise systems. This could result in data breaches, unauthorized transactions, or disruption of business processes that depend on Java-based applications. Since the vulnerability can be exploited remotely without authentication or user interaction, it increases the attack surface, especially for internet-facing services using vulnerable Java versions. The impact is amplified in environments where sandboxed Java Web Start applications or applets load untrusted code, as attackers could bypass sandbox restrictions. Although the attack complexity is high, skilled attackers targeting high-value assets could leverage this vulnerability to gain persistent unauthorized access or manipulate critical data. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for mitigation due to the potential severity of impact.

Organizations should immediately inventory their Java SE and GraalVM deployments to identify affected versions and prioritize upgrading to patched versions once available from Oracle. Until patches are released, restrict network access to services exposing vulnerable APIs, especially from untrusted networks. Implement strict input validation and sanitization on web services interacting with Java APIs to reduce attack vectors. For client-side Java applications, avoid running untrusted Java Web Start applications or applets, and consider disabling Java browser plugins or sandboxed execution environments where feasible. Employ network segmentation and firewall rules to limit exposure of vulnerable Java services. Monitor logs and network traffic for unusual activity targeting Java services or APIs. Engage in threat hunting for indicators of compromise related to this vulnerability. Additionally, review and harden Java security policies and configurations to minimize privileges granted to Java applications and reduce the impact of potential exploitation. Maintain up-to-date backups of critical data to enable recovery in case of data manipulation or deletion.