CVE-2019-3025

CRITICAL

Oracle Food and Beverage Apps <5.7 - RCE

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-3025. PoCs published by Walid Faour.

AI-analyzed exploit summary This exploit leverages a SOAP-based file transfer vulnerability in Oracle Hospitality RES 3700 to upload and execute a malicious executable and scheduled task. It sends two crafted SOAP requests to transfer files to the target system.

Description

Vulnerability in the Oracle Hospitality RES 3700 component of Oracle Food and Beverage Applications. The supported version that is affected is 5.7. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality RES 3700. While the vulnerability is in Oracle Hospitality RES 3700, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality RES 3700. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

Exploits (1)

exploitdb WORKING POC

by Walid Faour · textwebappsjava

https://www.exploit-db.com/exploits/48477

View Code ZIP pw:eip

This exploit leverages a SOAP-based file transfer vulnerability in Oracle Hospitality RES 3700 to upload and execute a malicious executable and scheduled task. It sends two crafted SOAP requests to transfer files to the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Oracle Hospitality RES 3700 <= v5.7

No auth needed

Prerequisites: Network access to the target system on port 50123 · Presence of the vulnerable SOAP endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Vendor Advisory x_refsource_misc

http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/157746/Oracle-Hospitality-RES-3700-5.7-Remote-Code-Execution.html

Scores

CVSS v3 9.0

EPSS 0.1446

EPSS Percentile 96.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

Status published

Products (1)

oracle/hospitality_res_3700 5.7

Published Oct 16, 2019

Tracked Since Feb 18, 2026