What is CVE-2025-21561?

A medium-severity vulnerability exists in Oracle PeopleSoft Enterprise SCM Purchasing. Easily exploitable by low-privileged attackers, it can lead to unauthorized data access. Organizations should prioritize patching to mitigate potential risks.

What is the severity of CVE-2025-21561?

CVE-2025-21561 has a severity rating of MEDIUM with a CVSS base score of 5.4.

CVE-2025-21561 | Medium Vulnerability in Oracle PeopleSoft

CVE-2025-21561 is a medium-severity vulnerability affecting the Oracle PeopleSoft Enterprise SCM Purchasing product, specifically version 9.2. This vulnerability allows a low-privileged attacker with network access via HTTP to compromise the PeopleSoft Enterprise SCM Purchasing system. The implications of a successful exploitation include unauthorized update, insert, or delete access to certain accessible data, alongside unauthorized read access to a subset of that data.

The CVSS 3.1 base score for this vulnerability is 5.4, indicating a medium severity level. The attack vector is categorized as network, with low complexity and low privileges required for exploitation. This means that attackers can potentially exploit the vulnerability without significant effort, highlighting the urgency for organizations to address this issue.

Risk to organizations includes unauthorized modifications to data and potential data breaches, which could have serious implications on business operations and compliance. Given the ease of exploitation, organizations should prioritize patching immediately to mitigate risks associated with this vulnerability.

As of now, no public exploit has been confirmed, and the vulnerability is not listed in the Known Exploited Vulnerabilities (KEV) catalog. However, the potential for exploitation remains due to the characteristics of the vulnerability.

Organizations should stay informed about any updates from Oracle regarding patches or remediation strategies to ensure the security of their PeopleSoft systems.

Vulnerability Details

The vulnerability in question is detailed in the Oracle advisory, indicating that it affects the PeopleSoft Enterprise SCM Purchasing component. The CVSS score of 5.4 reflects confidentiality and integrity impacts, categorizing it as a medium severity vulnerability. The specific CWE classification associated with this vulnerability is CWE-863.

Technical Analysis

The root cause of this vulnerability stems from insufficient access controls within the PeopleSoft system. Attackers may exploit this vulnerability via a network, taking advantage of the low complexity of the attack method. The attack does not require any user interaction, making it easier to execute.

The impacts on confidentiality and integrity are classified as low, indicating limited but significant potential damage. While there is no availability impact, the unauthorized access to data can lead to substantial organizational risks.

Risk & Impact Analysis

Organizations using the affected version of PeopleSoft should be aware of the potential for unauthorized access and manipulation of sensitive data. The blast radius of this vulnerability could affect multiple data sets within the organization, leading to compliance issues and operational disruptions.

With a CVSS score of 5.4, this vulnerability requires medium urgency in remediation efforts. Organizations should address this in their priority patch cycle to mitigate risks effectively.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The vulnerable version of the Oracle PeopleSoft Enterprise SCM Purchasing product is 9.2. Organizations should ensure they are running the latest patched version to mitigate this vulnerability.

Mitigation & Remediation

Organizations should apply the latest patch provided by Oracle to remediate this vulnerability. Additionally, implementing configuration hardening and network controls can help protect against unauthorized access. Regular monitoring and security assessments are also recommended to ensure compliance with security standards.

For more information on penetration testing strategies that can help validate your defenses, organizations can refer to penetration testing services.

Detection Guidance

To detect potential exploitation of this vulnerability, organizations should monitor logs for unusual access patterns and unauthorized data modifications. Behavioral anomalies should be investigated, and network signatures should be established to detect malicious activity.

AppSecure Threat Intelligence Insight

CVE-2025-21561 represents a significant risk for organizations relying on Oracle PeopleSoft. The ease of exploitation and the potential for unauthorized access to sensitive data underscore the importance of prompt remediation.

This vulnerability also highlights the need for ongoing security assessments and the implementation of robust security measures across organizational infrastructures. For a deeper understanding of modern penetration testing approaches, organizations can explore the following resources: penetration testing methodology, vulnerability management program design, and cloud penetration testing guide.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-21561: Medium Vulnerability in Oracle PeopleSoft