Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Performance Monitor is reachable over HTTP without auth (AV:N/PR:N/UI:N); Oracle's 'difficult to exploit' wording supports AC:H; 'takeover' outcome justifies C:H/I:H/A:H with no scope change.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Performance Monitor). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Performance Monitor component, where an unauthenticated network attacker can compromise the application over HTTP. Although Oracle classifies the issue as difficult to exploit (AC:H), successful attacks yield full confidentiality, integrity, and availability impact with a CVSS 3.1 base score of 8.1. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
PeopleTools is the underlying middleware/runtime that hosts PeopleSoft Enterprise applications (HCM, FSCM, CRM, Campus Solutions). The affected Performance Monitor (PPM) component instruments PeopleSoft system performance by collecting metrics from monitored systems and the PIA web tier over HTTP; it exposes web-accessible servlets/endpoints that can be reached on the PeopleSoft Internet Architecture (PIA) without prior authentication in many deployments. The CPE cpe:2.3:a:oracle_corporation:peoplesoft_enterprise_pt_peopletools confirms the affected product line. No CWE is assigned in NVD data, but the 'takeover' impact combined with the Performance Monitor attack surface is consistent with weaknesses in request handling or deserialization within that component - Oracle does not publish root-cause details in CPU advisories.
RemediationAI
Apply the patches delivered in Oracle's June 2026 Critical Patch Update for PeopleSoft (https://www.oracle.com/security-alerts/cspujun2026.html) to PeopleTools 8.61 and 8.62 - Oracle's CPU is the authoritative source for exact PRP/patch IDs, which must be obtained from My Oracle Support. As compensating controls until patching, restrict network access to the Performance Monitor servlets on the PIA web tier (typically reached via /psp or /psc URLs under the PPMI/Performance Monitor path) using the load balancer or web server, place PeopleSoft behind a VPN or zero-trust reverse proxy so HTTP is not internet-reachable, and consider disabling the Performance Monitor agent collection in non-essential environments - the trade-off is loss of PPM-based performance telemetry until the patch is applied. Do not rely on WAF signatures alone given the lack of public technical details.
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Performance Monitor com
Unauthenticated remote compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 via the WebLogic componen
Full compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Health Center). Rated
Unauthorized data access and modification in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 allows unauthenti
Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Application Se
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop w
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for a
Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of Oracle PeopleSoft Products (subcomponent: PsAdmin
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Notification Configur
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37408