Multiple vulnerabilities in Oracle Communications Converged Charging System
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2025-8058 CVE-2024-28182 CVE-2024-12133 CVE-2025-55163 CVE-2024-57699 CVE-2024-7254 CVE-2025-49796 CVE-2024-37371 CVE-2025-6965 |
| CWE-ID | CWE-415 CWE-20 CWE-400 CWE-399 CWE-674 CWE-843 CWE-125 CWE-119 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Oracle Communications Converged Charging System Server applications / Other server solutions |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Double free
EUVDB-ID: #VU113187
Risk: High
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-8058
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the regcomp() function in case previous memory allocations fail. A remote attacker can pass specially crafted data to the application, trigger double free error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Converged Charging System: 2.0.0.0.0 - 2.0.0.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_communications_converged_charging_system:2.0.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_communications_converged_charging_system:2.0.0.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuoct2025.html?1006996
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU88144
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-28182
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to reading the unbounded number of HTTP/2 CONTINUATION frames. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Converged Charging System: 2.0.0.0.0
CPE2.3 External linkshttps://www.oracle.com/security-alerts/cpuoct2025.html?1006996
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource exhaustion
EUVDB-ID: #VU103980
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-12133
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources processing a large number of SEQUENCE OF or SET OF elements in a certificate. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Converged Charging System: 2.0.0.0.0 - 2.0.0.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_communications_converged_charging_system:2.0.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_communications_converged_charging_system:2.0.0.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuoct2025.html?1006996
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource exhaustion
EUVDB-ID: #VU114026
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-55163
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Converged Charging System: 2.0.0.0.0 - 2.0.0.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_communications_converged_charging_system:2.0.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_communications_converged_charging_system:2.0.0.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuoct2025.html?1006996
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Resource management error
EUVDB-ID: #VU106926
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-57699
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when handling a specially crafted JSON input. A remote attacker can pass a large number of ’{’ characters to the application and perform a denial of service (DoS) attack.
Note, the vulnerability exists due to incomplete fix for #VU75044 (CVE-2023-1370).
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Converged Charging System: 2.0.0.0.0 - 2.0.0.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_communications_converged_charging_system:2.0.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_communications_converged_charging_system:2.0.0.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuoct2025.html?1006996
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Uncontrolled Recursion
EUVDB-ID: #VU97574
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-7254
CWE-ID:
CWE-674 - Uncontrolled Recursion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields. A remote attacker can pass specially crafted input to the application to create unbounded recursions and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsOracle Communications Converged Charging System: 2.0.0.0.0 - 2.0.0.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_communications_converged_charging_system:2.0.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_communications_converged_charging_system:2.0.0.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuoct2025.html?1006996
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Type Confusion
EUVDB-ID: #VU111223
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-49796
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a type confusion error within the xmlSchematronFormatReport() function when processing sch:name elements in schematron.c. A remote attacker can pass specially crafted data to the application, trigger a type confusion error and crash the application.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Converged Charging System: 2.0.0.0.0 - 2.0.0.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_communications_converged_charging_system:2.0.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_communications_converged_charging_system:2.0.0.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuoct2025.html?1006996
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Out-of-bounds read
EUVDB-ID: #VU93519
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-37371
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when handling GSS message token. A remote attacker can send specially crafted token to the application, trigger an out-of-bounds read error and read contents of memory on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Converged Charging System: 2.0.0.0.0 - 2.0.0.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_communications_converged_charging_system:2.0.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_communications_converged_charging_system:2.0.0.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuoct2025.html?1006996
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Buffer overflow
EUVDB-ID: #VU113156
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-6965
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing aggregated terms. A remote attacker can pass specially crafted input to the application where the number of aggregate terms exceeds the number of columns available, trigger memory corruption and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Communications Converged Charging System: 2.0.0.0.0 - 2.0.0.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_communications_converged_charging_system:2.0.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_communications_converged_charging_system:2.0.0.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuoct2025.html?1006996
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
