CVE-2025-21545
Published: 21 January 2025
Summary
CVE-2025-21545 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Oracle Peoplesoft Enterprise Peopletools. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked in the top 41.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly prevents exploitation of CVE-2025-21545 by applying Oracle's patch to the affected OpenSearch component in PeopleTools.
Denial-of-service protection implements mechanisms like rate limiting to block uncontrolled resource consumption attacks via HTTP that cause hangs or crashes.
Resource availability protection allocates controls to prevent unauthorized resource exhaustion from unauthenticated HTTP exploits targeting OpenSearch.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability (CWE-400 Uncontrolled Resource Consumption) enables remote unauthenticated exploitation via HTTP to trigger application resource exhaustion leading to hangs or crashes, directly matching Application Exhaustion Flood for Endpoint Denial of Service.
NVD Description
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: OpenSearch). Supported versions that are affected are 8.60 and 8.61. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of…
more
this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Deeper analysisAI
CVE-2025-21545 is a vulnerability in the OpenSearch component of the PeopleSoft Enterprise PeopleTools product from Oracle PeopleSoft. The supported versions affected are 8.60 and 8.61. This easily exploitable issue, associated with CWE-400 (Uncontrolled Resource Consumption), allows unauthenticated attackers with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools, resulting in a denial of service through hangs or frequently repeatable crashes.
An unauthenticated attacker requires only network access via HTTP to exploit this vulnerability, with low attack complexity and no privileges, user interaction, or scope changes needed. Successful exploitation enables unauthorized complete denial of service (DoS) on PeopleSoft Enterprise PeopleTools, with no impacts on confidentiality or integrity. The CVSS 3.1 base score is 7.5 (High), reflected in the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, primarily due to high availability impacts.
Oracle's Critical Patch Update advisory provides details on mitigation, available at https://www.oracle.com/security-alerts/cpujan2025.html.
Details
- CWE(s)