Analysis Summary

A critical vulnerability identified as CVE-2025-30733 has been discovered in Oracle's Transparent Network Substrate (TNS) protocol, allowing unauthenticated attackers to remotely leak sensitive system memory contents from affected Oracle Database Servers. The issue arises from uninitialized memory reads in the server’s response to connection requests, particularly over TCP (TNS over SSL/TLS). Attackers can exploit this flaw to retrieve sensitive data such as Windows environment variables (e.g., USERNAME, USERDOMAIN, Path) without needing valid credentials. Oracle assigned a CVSS score of (Medium) to this vulnerability and released a patch on April 15, 2025, covering Oracle Database versions 19.3–19.26, 21.3–21.17, and 23.4–23.7.

The vulnerability was uncovered by researchers during the development of protocol analyzers. Using a connection string similar to Oracle's own lsnrctl tool (DESCRIPTION=(CONNECT_DATA=(COMMAND=version))), they observed that TCPS listeners would return more than just standard banner information. Instead, responses included residual memory data, which could contain valuable system information. The leaked data often carried prefixes such as “sdp” or “wss,” potentially tied to Session Description Protocol and Web Services Security features. The amount and type of leaked information depend on recent memory usage, making it unpredictable and riskier in live environments.

Although Oracle’s default configuration has restricted external TNS listener access since version 10g, researchers still found approximately 40 vulnerable systems exposed to the internet, primarily on Windows servers using the default port 1521. These systems were accessible due to misconfigured settings, specifically when the LOCAL_OS_AUTHENTICATION parameter was set to OFF. This non-default setting disables local-only access, thereby enabling remote attackers to exploit the vulnerability. This highlights how minor configuration changes can compromise security in enterprise environments.

Oracle responded swiftly with a patch in its April 2025 Critical Patch Update, and immediate remediation is strongly recommended. In addition to applying the patch, organizations should ensure proper configuration of LOCAL_OS_AUTHENTICATION and avoid exposing TNS listeners to the internet unless absolutely necessary. The incident underscores the ongoing risks posed by legacy protocols like TNS, developed over three decades ago, and serves as a reminder that tight network segmentation and reduced external attack surfaces are crucial to database security.

Impact

• Sensitive Data Theft
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-30733

Affected Vendors

Remediation

• Refer to Oracle Critical Patch Update Advisory - April 2025 for patch, upgrade or suggested workaround information.
• Ensure LOCAL_OS_AUTHENTICATION is set to ON to restrict listener access to local connections only.
• Audit and minimize public exposure of Oracle TNS listeners, especially on port 1521.
• Restrict TNS listener access at the firewall level, allowing only trusted internal IPs.
• Use network segmentation to isolate database servers from internet-facing networks.
• Regularly review the listener.ORA configuration for any misconfigurations or non-default settings.
• Monitor network traffic for unusual TNS protocol requests, especially those targeting TCP listeners.
• Implement intrusion detection systems (IDS/IPS) to detect and block unauthorized TNS access attempts.