CVE-2025-50061 in Primavera P6 Enterprise Project Portfolio Managementinfo

Summary

by MITRE • 07/15/2025

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: Web Access). Supported versions that are affected are 20.12.0-20.12.21, 21.12.0-21.12.21, 22.12.0-22.12.19, 23.12.0-23.12.13 and 24.12.0-24.12.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/25/2025

The vulnerability identified as CVE-2025-50061 affects Oracle Construction and Engineering's Primavera P6 Enterprise Project Portfolio Management software within its Web Access component. This issue manifests across multiple version ranges including 20.12.0 through 20.12.21, 21.12.0 through 21.12.21, 22.12.0 through 22.12.19, 23.12.0 through 23.12.13, and 24.12.0 through 24.12.4. The vulnerability represents a significant security concern as it allows low privileged attackers with network access via HTTP to compromise the system. The exploitability requires human interaction from users other than the attacker, indicating a social engineering component to the attack vector. This characteristic places the vulnerability in the context of targeted attacks where user engagement is necessary for successful exploitation.

The technical flaw resides within the web access functionality of Primavera P6, creating a pathway for unauthorized access to system resources. The CVSS 3.1 base score of 5.4 reflects the moderate severity of this vulnerability, with ratings of 5.4 for both confidentiality and integrity impacts. The attack vector is classified as network-based (AV:N) with low access complexity (AC:L) and requires low privileges (PR:L) to exploit. The vulnerability also requires user interaction (UI:R) which suggests that phishing or other social engineering techniques may be employed in conjunction with the technical exploit. The scope change (S:C) indicates that successful attacks can impact additional products beyond the primary target, expanding the potential damage surface.

The operational impact of this vulnerability extends beyond simple data access, as it enables unauthorized update, insert, or delete operations on sensitive project portfolio management data. Additionally, attackers can gain unauthorized read access to subsets of accessible data, potentially compromising project information, resource allocations, and financial planning details that are critical to construction and engineering organizations. The affected environment includes enterprise-level project portfolio management systems where project data integrity and confidentiality are paramount. Organizations utilizing Primavera P6 for large-scale construction projects face significant risk of data manipulation that could affect project timelines, budgets, and stakeholder confidence. The vulnerability's impact on both confidentiality and integrity aligns with CWE-284 (Improper Access Control) and CWE-200 (Information Exposure) categories, representing fundamental security control failures.

Organizations should implement immediate mitigations including network segmentation to limit access to the Primavera P6 web interfaces, enforcing strong authentication mechanisms, and deploying web application firewalls to monitor and filter HTTP traffic. Regular patch management processes must be prioritized to ensure timely deployment of Oracle security updates addressing this vulnerability. The security controls should also include user awareness training to recognize potential social engineering attempts that could leverage this vulnerability. Monitoring for unusual access patterns and implementing least privilege access controls will help reduce the potential impact of exploitation. Given the CVSS vector and the scope change implications, organizations should conduct comprehensive risk assessments to identify all systems that may be impacted by this vulnerability and implement appropriate compensating controls to protect against unauthorized data manipulation and access.

Responsible

Oracle

Reservation

06/12/2025

Disclosure

07/15/2025

Moderation

accepted

CPE

ready

EPSS

0.00187

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!