CVE-2025-30749 is a vulnerability in the 2D component of Oracle Java SE and Oracle GraalVM products, including Oracle Java SE versions 8u451, 11.0.27, 17.0.15, 21.0.7, and 24.0.1, as well as corresponding GraalVM versions. The flaw allows an unauthenticated attacker with network access to exploit the vulnerability via multiple protocols, potentially leading to a complete takeover of the Java runtime environment. The vulnerability specifically affects Java deployments that execute untrusted code within sandboxed environments, such as Java Web Start applications or sandboxed applets, which rely on the Java sandbox for security enforcement. This means that if an attacker can deliver malicious code to such a client environment, they may bypass sandbox restrictions and execute arbitrary code with the privileges of the Java process. The vulnerability does not affect server-side Java deployments that only run trusted code installed by administrators, reducing the attack surface in typical server environments. The attack complexity is high, indicating that exploitation requires specific conditions or advanced techniques, and no user interaction or authentication is required. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates network attack vector, high attack complexity, no privileges or user interaction needed, and high impact on confidentiality, integrity, and availability. While no public exploits are known, the potential impact of a successful attack is severe, including full compromise of the Java runtime environment, which could lead to further system compromise or data breaches.

For European organizations, this vulnerability poses a significant risk particularly to enterprises and public sector entities that utilize client-side Java applications or legacy systems relying on Java Web Start or sandboxed applets. Successful exploitation could lead to unauthorized access, data exfiltration, or disruption of critical services. Industries such as finance, manufacturing, and government, which often use Java-based client applications or internal tools, may face increased risk. The ability to compromise the Java runtime environment can facilitate lateral movement within networks and undermine endpoint security. Although server-side deployments running only trusted code are not affected, many organizations still maintain legacy or hybrid environments where untrusted code execution is possible. The high confidentiality, integrity, and availability impact means sensitive data could be exposed or altered, and systems could be rendered inoperable, affecting compliance with GDPR and other regulations. The difficulty of exploitation somewhat mitigates immediate widespread risk, but targeted attacks against high-value European targets remain a concern.

Organizations should immediately inventory their Java deployments to identify affected versions, focusing on client-side environments running sandboxed Java Web Start applications or applets. Applying the latest Oracle patches or updates as soon as they become available is critical. Where patching is delayed, organizations should consider disabling Java Web Start and applet support in browsers and client systems to reduce exposure. Network-level controls should be implemented to restrict access to Java services and protocols that could be exploited, especially from untrusted networks. Employ application whitelisting to prevent execution of untrusted Java code and enhance endpoint detection and response (EDR) capabilities to monitor for suspicious Java process behavior. Educate users about the risks of running untrusted Java applications and enforce strict policies on software installation. For environments where legacy Java applications are necessary, consider isolating them within segmented network zones or virtual machines to contain potential compromise. Regularly review and update security configurations of Java runtimes to minimize attack surface and disable unnecessary components.