CVE-2025-21556
Published: 21 January 2025
Summary
CVE-2025-21556 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Oracle Agile Product Lifecycle Management. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 22.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-21556 is an authorization vulnerability (CWE-863) in the Agile Integration Services component of the Oracle Agile PLM Framework within Oracle Supply Chain. It affects version 9.3.6 and carries a CVSS 3.1 base score of 9.9 with the vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating that a successful exploit can produce complete compromise of confidentiality, integrity, and availability while also affecting other products due to scope change.
A low-privileged attacker with network access over HTTP can exploit the flaw without user interaction to achieve full takeover of the Oracle Agile PLM Framework. Because the vulnerability resides in a framework component, successful attacks may extend control to additional Oracle Supply Chain products that rely on the same integration services.
The January 2025 Oracle Critical Patch Update advisory addresses the issue and directs customers to apply the corresponding fixes for Agile PLM 9.3.6. Security teams should review the full advisory at the referenced Oracle URL for patch availability and any interim configuration guidance. The associated EPSS scores remain low, with only a modest increase from 0.0099 to a peak of 0.0129.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2545
Vulnerability details
Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Agile Integration Services). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile…
more
PLM Framework. While the vulnerability is in Oracle Agile PLM Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect authorization (CWE-863) in a network-accessible HTTP service allows low-privileged authenticated attackers to achieve full system takeover, directly enabling exploitation of the public-facing application (T1190) and privilege escalation via software vulnerability (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation through application of Oracle Critical Patch Update patches directly eliminates the incorrect authorization vulnerability in Agile Integration Services.
Enforces approved authorizations for access to system resources, directly countering the CWE-863 incorrect authorization that allows low-privileged takeover.
Limits low-privileged attackers to only essential privileges, reducing the potential impact and scope change from exploitation of the authorization flaw.