Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Oracle states unauthenticated HTTP-reachable Performance Monitor flaw yielding takeover, so AV:N/AC:L/PR:N/UI:N with full C:H/I:H/A:H and unchanged scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Performance Monitor). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Performance Monitor component, allowing unauthenticated network attackers to fully compromise confidentiality, integrity, and availability of the application. Oracle rates the issue 9.8 critical and describes it as easily exploitable over HTTP, though no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The PeopleSoft Enterprise PT PeopleTools Performance Monitor component must be reachable by the attacker over HTTP/HTTPS, and the deployment must be running PeopleTools 8.61 or 8.62 with PPM enabled (it is enabled by default on standard PeopleTools web profiles). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to high real-world risk: CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N with S:U and C:H/I:H/A:H means a remote, unauthenticated, low-complexity HTTP request yields full takeover, and Oracle's own advisory text labels it 'easily exploitable.' Countering that, the issue is not listed in CISA KEV, no public POC is referenced in the provided intelligence, no EPSS score was supplied, and no CWE/SSVC decision data is available, so weaponization status is currently unknown. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the PeopleSoft web tier over the internet or an internal network sends a single crafted HTTP request to the Performance Monitor endpoint and, with no credentials or user interaction, obtains takeover-level control of the PeopleTools application, enabling data exfiltration from PeopleSoft modules (HR, finance, student records) and lateral movement into the Oracle database tier. No public exploit identified at time of analysis, but Oracle's 'easily exploitable' wording and the AV:N/AC:L/PR:N/UI:N vector imply a reliable one-shot exploit is feasible once the bug is reverse-engineered from the CPU patch. |
| Remediation | Patch available per vendor advisory: apply the fixes shipped in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) to PeopleTools 8.61 and 8.62 as the primary remediation, since no specific fixed patch level is enumerated in the provided data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running PeopleSoft Enterprise PT PeopleTools 8.61-8.62 and assess criticality; restrict network access to Performance Monitor component via firewall rules; disable Performance Monitor service if operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated remote compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 via the WebLogic componen
Full compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Health Center). Rated
Unauthorized data access and modification in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 allows unauthenti
Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Application Se
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Performance Mo
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop w
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for a
Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of Oracle PeopleSoft Products (subcomponent: PsAdmin
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Notification Configur
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37407