CVE-2025-21558: Medium Vulnerability in Oracle Primavera P6 Enterprise Project Portfolio Management

CVE-2025-21558 is a medium-severity vulnerability in the Oracle Primavera P6 Enterprise Project Portfolio Management product, specifically in the Web Access component. This vulnerability allows a low-privileged attacker with network access via HTTP to compromise the application. Successful exploitation requires human interaction from a user other than the attacker, which adds a layer of complexity to the attack. However, if exploited, the consequences could be significant, affecting not only Primavera P6 but also potentially impacting other connected systems.

The CVSS 3.1 score for this vulnerability is 5.4, indicating medium severity. Organizations should be aware that the risks associated with this vulnerability include unauthorized updates, inserts, or deletions of accessible data, as well as unauthorized read access to a subset of Primavera P6's data. The vulnerability impacts versions 20.12.1.0 to 20.12.21.5, 21.12.1.0 to 21.12.20.0, and 22.12.1.0.

Given the potential for unauthorized access to sensitive data, organizations using affected versions should prioritize patching immediately. The nature of the vulnerability and the potential impact on project management processes necessitate a timely response to mitigate risks.

As of now, there are no public exploits confirmed for this vulnerability, but the presence of a low-privileged attack vector should prompt organizations to evaluate their security measures surrounding the use of Primavera P6.

Vulnerability Details

The vulnerability in question has been analyzed and described in detail. The affected product is Oracle Primavera P6 Enterprise Project Portfolio Management, with the specific versions being 20.12.1.0 to 20.12.21.5, 21.12.1.0 to 21.12.20.0, and 22.12.1.0. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.

The root cause of this vulnerability stems from insufficient access controls, allowing an attacker to manipulate data or gain unauthorized access. The attack vector is network-based, requiring low attack complexity and minimal privileges. User interaction is required, meaning that the victim must perform an action that facilitates the attack.

The impacts of this vulnerability are classified as low for both confidentiality and integrity, with no impact on availability. The CWE classification associated with this vulnerability is CWE-863, indicating an issue with improper authorization.

Technical Analysis

The root cause of CVE-2025-21558 is an issue with access controls within the Primavera P6 Web Access component. Attackers can exploit this vulnerability due to the low privileges required and the ability to access the application over the network. The exploitation complexity is low, suggesting that the vulnerability can be exploited with minimal technical skill.

The attack vector is primarily network-based, allowing attackers to leverage remote access to initiate the attack. Privileges required are classified as low, meaning that even users with minimal permissions can potentially exploit this vulnerability. User interaction is a crucial aspect, as the attack typically involves tricking a user into performing an action that triggers the exploit.

In terms of impact, the vulnerability affects the confidentiality and integrity of the data managed by Primavera P6. Attackers may gain access to sensitive project data, which could lead to unauthorized changes or data breaches. The availability of the system remains unaffected, ensuring that the application remains operational even if the vulnerability is exploited.

Risk & Impact Analysis

Organizations using Oracle Primavera P6 must recognize the real-world risks posed by CVE-2025-21558. The fact that the vulnerability allows unauthorized updates, inserts, and deletions of accessible data highlights the potential for significant operational disruptions. The requirement for user interaction introduces an additional layer of complexity, but it does not negate the risk.

The blast radius of this vulnerability can extend beyond Primavera P6, affecting other integrated systems and applications. Successful exploitation may lead to unauthorized access to sensitive data, impacting not only project management but also potentially leading to compliance violations.

Given the CVSS score of 5.4, organizations should address this vulnerability in their priority patch cycle. Monitoring and logging of affected systems should also be enhanced to detect any suspicious activity related to this vulnerability.

Exploitation Status

Affected Versions

The affected versions of Oracle Primavera P6 Enterprise Project Portfolio Management include:

- 20.12.1.0 to 20.12.21.5

- 21.12.1.0 to 21.12.20.0

- 22.12.1.0

Mitigation & Remediation

Organizations should prioritize patching immediately to remediate CVE-2025-21558. Updating to the latest version of Primavera P6 will eliminate the vulnerability and protect against potential exploits. If immediate patching is not feasible, consider implementing additional network controls to restrict access to the application and monitor for any suspicious activity.

Configuration hardening can also mitigate risks associated with this vulnerability. Secure user accounts with strong authentication mechanisms and limit user permissions to only what is necessary for their role. Regular reviews of user access logs and monitoring system behavior can aid in detecting any unauthorized attempts to exploit the vulnerability.

Penetration testing can also help identify and remediate weaknesses in the application.

Detection Guidance

To detect potential exploitation attempts related to CVE-2025-21558, organizations should monitor for specific log indicators, such as unusual access patterns to the Primavera P6 application and failed login attempts from low-privileged accounts.

Behavioral anomalies, such as unauthorized data modifications or access outside of normal business hours, should also be flagged for further investigation.

Network signatures related to HTTP requests that trigger the vulnerability should be captured and analyzed to identify potential attacks.

AppSecure Threat Intelligence Insight

CVE-2025-21558 illustrates a common type of vulnerability that can exist in enterprise applications, particularly those that require user interaction. The low-privilege nature of the attack vector highlights the importance of secure coding practices and thorough testing to identify potential weaknesses.

Organizations should take this opportunity to review their security controls and consider implementing a comprehensive vulnerability management program to address similar risks in the future.

Additionally, organizations should remain informed about emerging threats and trends in vulnerability exploitation to proactively strengthen their defenses. Engaging in regular penetration testing can help uncover vulnerabilities before they can be exploited.

Finally, organizations should consider investing in VAPT services to ensure a comprehensive assessment of their security posture.