Severity by source
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Local Deployment Package abuse needs prior high-privileged logon on the PeopleTools host (AV:L, PR:H), is low-complexity with no user interaction, and crosses scope to other PeopleSoft products with full C/I/A impact.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Deployment Package). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where PeopleSoft Enterprise PT PeopleTools executes to compromise PeopleSoft Enterprise PT PeopleTools. While the vulnerability is in PeopleSoft Enterprise PT PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package component) allows a high-privileged attacker with logon access to the underlying infrastructure to fully compromise PeopleTools with a scope change that impacts additional products. Oracle rates this CVSS 8.2 and confirms it is easily exploitable once the attacker has the required local privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
The flaw resides in the Deployment Package subsystem of PeopleTools, the middleware/runtime layer that underpins Oracle PeopleSoft applications (HCM, FSCM, Campus Solutions, etc.). Deployment Packages bundle binaries, configuration, and scripts used to install or update PeopleSoft environments, so weaknesses there typically involve trust placed in files, paths, or configuration executed during deployment by privileged service accounts. The CPE confirms the affected component is cpe:2.3:a:oracle_corporation:peoplesoft_enterprise_pt_peopletools, and the CVSS scope change (S:C) signals that exploitation crosses the PeopleTools security authority and can affect adjacent PeopleSoft application products that rely on it. No CWE was assigned, so the precise weakness class (e.g., insecure file handling, path or argument injection during deployment) cannot be confirmed from the provided data.
RemediationAI
Apply the fixes delivered in Oracle's June 2026 Critical Patch Update for PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 as documented at https://www.oracle.com/security-alerts/cspujun2026.html (patch available per vendor advisory; exact post-patch build number is not independently confirmed in the provided data, so consult the CPU readme for the precise PeopleTools patch level). Until the CPU is deployed, compensating controls should focus on the PR:H/AV:L precondition: restrict interactive and service logon on PeopleTools application, app server, and Process Scheduler hosts to a minimal set of named admins, rotate and vault credentials for the PSADMIN/deployment service accounts, and tightly control who can place files into or invoke Deployment Package directories (trade-off: tighter ACLs may break ad-hoc patching workflows and require coordination with the PeopleSoft admin team). Enable OS-level auditing on the Deployment Package paths and on PSADMIN/PSAdmin invocations to detect tampering, accepting the additional log volume as the cost.
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Performance Monitor com
Unauthenticated remote compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 via the WebLogic componen
Full compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Health Center). Rated
Unauthorized data access and modification in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 allows unauthenti
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Application Se
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Performance Mo
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop w
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for a
Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of Oracle PeopleSoft Products (subcomponent: PsAdmin
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Notification Configur
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37416