Oracle Application Testing Suite (January 2026 CPU)

🗓️ 03 Feb 2026 00:00:00Reported by TenableType

Oracle Application Testing Suite vulnerability in Load Testing for Web Apps version 13.3.0.1 allows unauthenticated HTTP access, risking partial denial of service.

Reporter	Title	Published	Views	Family All 335
IBM Security Bulletins	Security Bulletin: IBM Operational Decision Manager for December 2025 - Multiple CVEs addressed	29 Jan 202607:37	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Sterling Secure Proxy is vulnerable to uncontrolled recursion due to Apache Commons Lang.	10 Feb 202617:07	–	ibm
IBM Security Bulletins	Security Bulletin: A vulnerability in Apache Commons Lang may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2025-48924)	26 Sep 202508:04	–	ibm
IBM Security Bulletins	Security Bulletin: Uncontrolled Recursion vulnerability in Apache Commons Lang library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2025-48924)	24 Oct 202503:53	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Event Processing	30 Dec 202512:59	–	ibm
IBM Security Bulletins	Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache Commons Lang (CVE-2025-48924)	24 Mar 202616:15	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Apache Commons Lang affect IBM® Db2® Big SQL on IBM Cloud Pak for Data.	23 Jan 202613:29	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Application Modernization Accelerator is affected by multiple vulnerabilities found in Java and Node.js (CVE-2025-48924, CVE-2025-4949)	18 Aug 202510:33	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in commons-codec-1.11.jar affecting MongoDB Enterprised Advanced (CVE-2020-15250, CVE-2025-48924)	24 Feb 202619:12	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Security QRadar EDR Software	27 Nov 202512:09	–	ibm

Source	Link
oracle	www.oracle.com/docs/tech/security-alerts/cpujan2026csaf.json
oracle	www.oracle.com/security-alerts/cpujan2026.html
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(297691);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/03");

  script_cve_id("CVE-2025-48924");

  script_name(english:"Oracle Application Testing Suite (January 2026 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a vulnerability");
  script_set_attribute(attribute:"description", value:
"The versions of Oracle Application Testing Suite installed on the remote host are affected by a vulnerability as
referenced in the January 2026 CPU advisory.

  - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component:
    Load Testing for Web Apps (Apache Commons Lang)). The supported version that is affected is 13.3.0.1.
    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to
    compromise Oracle Application Testing Suite. Successful attacks of this vulnerability can result in
    unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Application Testing
    Suite. (CVE-2025-48924)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpujan2026csaf.json");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujan2026.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the January 2026 Oracle Critical Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-48924");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/01/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/01/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/02/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:application_testing_suite");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_application_testing_suite_installed.nbin");
  script_require_keys("installed_sw/Oracle Application Testing Suite");

  exit(0);
}


include('vcf_extras_oracle.inc');

var app_info = vcf::oracle_oats::get_app_info();

var patches_to_report;
var patches_to_check;
if (get_kb_item('SMB/Registry/Enumerated'))
{
  patches_to_report = make_list('38829320');
}
else
{
  patches_to_report = make_list('37155595');
  patches_to_check = make_list('37155595');
}

var constraints = [
  { 'min_version' : '13.3.0.1', 'fixed_version' : '13.3.0.1.668' }
];

vcf::oracle_oats::check_version_and_report(
  app_info:app_info,
  severity:SECURITY_HOLE,
  constraints:constraints,
  patches_to_report:patches_to_report,
  patches_to_check:patches_to_check
);

03 Feb 2026 00:00Current

5.6Medium risk

Vulners AI Score5.6

CVSS 3.15.3

EPSS0.00099

SSVC