Oracle Database TNS vulnerability could leak data to further attacks

A vulnerability in Oracle database communications could potentially allow an unauthenticated user to access system memory contents that may include sensitive information that could be used for further attacks.

The research team with security consultants Driftnet said that the Oracle Database Transparent Network Substrate (TNS) can potentially allow an unauthenticated user to pull up data that should be securely stored in memory.

In practice, a user who otherwise would not have elevated access can pull system details from the database and potentially elevate their privilege to perform further attacks.

“A principle we follow when developing our protocol analyzers is that we aim to minimise impact on the remote device while gathering enough information to fully identify the remote product and version,” Driftnet said in its summary.

“For Oracle TNS, we request the database version without authentication — similar to how Oracle’s own lsnrctl (Listener Control Utility) operates when run locally on a database server.”

The vulnerability itself is down to memory leakage. The Oracle TCPS service fails to correctly erase data stored in memory. This can allow for a request that pulls the data stored in that uncleared memory.

In short, an attacker could send a request to the database that would spill the contents of the stored memory, that may include sensitive data.

The vulnerability has been designated as CVE-2025-30733 and has been patched by Oracle. As Oracle databases are often critical for business operations, however, updates for these systems can be few and far between.

While the vulnerability is a potentially serious issue, there are some mitigating factors. Driftnet said that by default the vulnerability would not be accessible to an outside attacker, though it often is exposed in the wild.

“The default configuration of Oracle RDBMS since version 10g limits unauthenticated external access, so we didn’t expect to see widespread exposure of this vulnerability,” the researchers noted.

“However, because only minor changes to the default configuration are needed for the issue to become remotely observable, we do see limited numbers of exposed servers.”

The total number of exposed systems is estimated to be 40, though the researchers noted that exposing a database is not difficult and many servers could be unknowingly exposed to attack.

“We found a global distribution of affected servers with a wide range of reported database versions,” said Driftnet.

“Typically these use the default listener port of 1521, and are mainly running Windows — although the operating system used by the server doesn’t impact the vulnerability.”

Administrators are advised to update their database installations as soon as possible.