CVE-2025-30691 is a vulnerability identified in the Compiler component of Oracle Java SE, specifically impacting versions 21.0.6 and 24, as well as Oracle GraalVM for JDK in the same versions. The flaw allows an unauthenticated attacker with network access to exploit multiple protocols to compromise Oracle Java SE. The attack complexity is high, meaning exploitation is difficult and likely requires detailed knowledge of the target environment and the APIs exposed by the vulnerable component. Successful exploitation can lead to unauthorized update, insert, or delete operations on some data accessible through Oracle Java SE, as well as unauthorized read access to a subset of that data. The vulnerability is particularly relevant for Java deployments that run sandboxed Java Web Start applications or sandboxed Java applets which load and execute untrusted code, relying on the Java sandbox for security. Attackers can exploit this vulnerability by interacting with APIs exposed by the compiler component, such as web services that supply data to these APIs. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) indicates network attack vector, high attack complexity, no privileges or user interaction required, and limited confidentiality and integrity impact without affecting availability. The vulnerability is categorized under CWE-284 (Improper Access Control). As of the publication date, no known exploits are reported in the wild, and no official patches have been linked, though Oracle is expected to release updates. This vulnerability poses a risk to environments where Oracle Java SE is used in network-facing applications or services, especially where untrusted code execution is involved.

For European organizations, the impact of CVE-2025-30691 can be significant in environments where Oracle Java SE versions 21.0.6 or 24 are deployed, particularly in web services or applications that expose APIs to untrusted networks. Unauthorized read and write access to data can lead to data leakage, unauthorized data manipulation, and potential downstream effects such as data integrity issues or compliance violations under regulations like GDPR. Organizations relying on sandboxed Java Web Start applications or applets that load untrusted code are especially at risk, as the Java sandbox may be bypassed, increasing the attack surface. Although the attack complexity is high and no exploits are currently known, the vulnerability could be leveraged in targeted attacks against critical infrastructure, financial institutions, or government agencies that use Oracle Java SE in their technology stacks. The lack of availability impact reduces the risk of service disruption but does not mitigate the confidentiality and integrity concerns. Given Oracle Java SE's widespread use in enterprise environments across Europe, the vulnerability could affect a broad range of sectors including finance, manufacturing, telecommunications, and public services.

European organizations should immediately inventory their use of Oracle Java SE versions 21.0.6 and 24, including Oracle GraalVM for JDK, to identify affected systems. Until official patches are released, organizations should restrict network access to services exposing the vulnerable APIs, implementing strict network segmentation and firewall rules to limit exposure to untrusted networks. Application-level controls should be enhanced to validate and sanitize all inputs to the Java Compiler APIs and web services to reduce the risk of exploitation. Where possible, disable or remove Java Web Start applications and sandboxed applets that load untrusted code, or migrate to more secure deployment models. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect and block suspicious API calls related to the compiler component. Monitor logs and network traffic for unusual access patterns or unauthorized data modification attempts. Finally, prepare for rapid deployment of Oracle patches once available and test updates in controlled environments before production rollout.