Scan free
MEDIUMCVE-2025-8107CVSS 6.3

CVE-2025-8107: Privilege Escalation in OceanBase Server

Platform

oracle

Component

oceanbase

Fixed in

3.2.4.8

4.2.1.10

4.2.5

4.3.3.2

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2025-8107 describes a Privilege Escalation vulnerability within OceanBase Server's Oracle tenant mode. An attacker with specific privileges can leverage carefully crafted commands to gain unauthorized SYS-level access, potentially compromising the entire database system. This vulnerability impacts versions 3.2.4 through 4.3.4, but does not affect tenants configured in MySQL mode. A patch is available in version 4.3.5.

Impact and Attack Scenarios

Successful exploitation of CVE-2025-8107 allows an attacker to bypass access controls and assume the role of the SYS administrator within the OceanBase Oracle tenant. This grants complete control over the database, including the ability to read, modify, and delete data, create and drop users, and alter system configurations. The blast radius is significant, as a compromised SYS account effectively compromises the entire database instance. This vulnerability is particularly concerning in multi-tenant environments where a compromised tenant could be used as a stepping stone to attack other tenants or the underlying infrastructure. The ability to escalate privileges to SYS level represents a critical security risk.

Exploitation Context

CVE-2025-8107 was publicly disclosed on 2025-07-24. The vulnerability's impact is considered MEDIUM due to the potential for privilege escalation, but the limited scope to Oracle tenants mitigates the overall risk. No public proof-of-concept (PoC) code has been released at the time of writing. It is not currently listed on CISA KEV. Active exploitation campaigns are not currently confirmed, but the potential for abuse warrants close monitoring.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.05% (15% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L6.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentoceanbase
VendorOB
Affected rangeFixed in
3.2.4.x – 3.2.4.83.2.4.8
4.2.1 x – 4.2.1.104.2.1.10
4.2.x – 4.2.54.2.5
4.3.3.x – 4.3.3.24.3.3.2

Weakness Classification (CWE)

CWE-668CWE-269

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-8107 is to upgrade OceanBase Server to version 4.3.5 or later, which includes the necessary fix. If immediate upgrading is not feasible, consider implementing strict access controls and privilege separation within the Oracle tenant mode to limit the potential impact of a successful attack. Regularly review user privileges and audit logs for suspicious activity. While a direct WAF rule is unlikely to be effective, monitoring for unusual command execution patterns within the database could provide early warning signs. After upgrading, confirm the fix by attempting to execute the vulnerable commands and verifying that privilege escalation is prevented.

How to fix

Actualice OceanBase Server a una versión que haya solucionado la vulnerabilidad de escalada de privilegios. Consulte las notas de la versión o el sitio web del proveedor para obtener más información sobre las versiones corregidas y las instrucciones de actualización.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-8107 — Privilege Escalation in OceanBase Server?

CVE-2025-8107 is a vulnerability in OceanBase Server's Oracle tenant mode allowing malicious users with specific privileges to escalate to SYS-level access via crafted commands, potentially compromising the entire database.

Am I affected by CVE-2025-8107 in OceanBase Server?

You are affected if you are running OceanBase Server in Oracle tenant mode with versions between 3.2.4 and 4.3.4. Tenants in MySQL mode are not affected.

How do I fix CVE-2025-8107 in OceanBase Server?

Upgrade OceanBase Server to version 4.3.5 or later to remediate the vulnerability. If immediate upgrading is not possible, implement strict access controls and privilege separation.

Is CVE-2025-8107 being actively exploited?

Active exploitation campaigns are not currently confirmed, but the potential for abuse warrants close monitoring.

Where can I find the official OceanBase advisory for CVE-2025-8107?

Refer to the official OceanBase security advisory for detailed information and updates regarding CVE-2025-8107.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs