CVE-2025-30758 in Siebel CRM End Userinfo

Summary

by MITRE • 07/15/2025

Vulnerability in the Siebel CRM End User product of Oracle Siebel CRM (component: User Interface). Supported versions that are affected are 25.0-25.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel CRM End User. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Siebel CRM End User accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/29/2025

The vulnerability identified as CVE-2025-30758 represents a significant security weakness within Oracle Siebel CRM End User's user interface component. This issue affects versions 25.0 through 25.5 of the Siebel CRM platform, making it a widespread concern for organizations utilizing this customer relationship management solution. The vulnerability resides in the web-based user interface layer, which serves as the primary point of interaction for end users and administrators within the Siebel environment.

The technical flaw manifests as an authentication bypass mechanism that allows unauthenticated attackers to access restricted functionality within the Siebel CRM system. This vulnerability operates through HTTP network connections without requiring any valid credentials or prior access privileges, making it particularly dangerous as it can be exploited remotely by anyone with network access to the affected system. The attack vector specifically targets the user interface component, suggesting that the flaw may be related to improper access control implementation within the web application's authentication framework.

From an operational impact perspective, this vulnerability creates a serious confidentiality risk for organizations running affected Siebel CRM versions. Successful exploitation enables attackers to gain unauthorized read access to a subset of data within the Siebel CRM End User environment, potentially exposing sensitive customer information, business data, and operational details. The CVSS 3.1 base score of 5.3 indicates a medium severity vulnerability, but the implications can be substantial depending on the nature of the data accessible through this vulnerability. The lack of authentication requirements and the ability to exploit this through network access means that the attack surface is broad and easily accessible.

Organizations should immediately implement mitigation strategies to address this vulnerability, including applying the latest security patches from Oracle as soon as they become available. Network segmentation and access controls should be strengthened to limit exposure of the Siebel CRM system to untrusted networks. Additionally, monitoring network traffic for suspicious activity related to the affected system can help detect potential exploitation attempts. The vulnerability aligns with CWE-287, which addresses improper authentication issues, and maps to ATT&CK technique T1190 for exploiting vulnerabilities in web applications. Organizations should also conduct thorough audits of their Siebel CRM installations to identify and remediate any similar access control weaknesses that may exist within their broader IT infrastructure.

Responsible

Oracle

Reservation

03/26/2025

Disclosure

07/15/2025

Moderation

accepted

CPE

ready

EPSS

0.00300

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!