Cyber Resilience

CVE-2025-21556

Critical

Published: 21 January 2025

Published
21 January 2025
Modified
29 April 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0099 77.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21556 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Oracle Agile Product Lifecycle Management. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 22.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-21556 is an authorization vulnerability (CWE-863) in the Agile Integration Services component of the Oracle Agile PLM Framework within Oracle Supply Chain. It affects version 9.3.6 and carries a CVSS 3.1 base score of 9.9 with the vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating that a successful exploit can produce complete compromise of confidentiality, integrity, and availability while also affecting other products due to scope change.

A low-privileged attacker with network access over HTTP can exploit the flaw without user interaction to achieve full takeover of the Oracle Agile PLM Framework. Because the vulnerability resides in a framework component, successful attacks may extend control to additional Oracle Supply Chain products that rely on the same integration services.

The January 2025 Oracle Critical Patch Update advisory addresses the issue and directs customers to apply the corresponding fixes for Agile PLM 9.3.6. Security teams should review the full advisory at the referenced Oracle URL for patch availability and any interim configuration guidance. The associated EPSS scores remain low, with only a modest increase from 0.0099 to a peak of 0.0129.

EU & UK References

Vulnerability details

Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Agile Integration Services). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile…

more

PLM Framework. While the vulnerability is in Oracle Agile PLM Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Incorrect authorization (CWE-863) in a network-accessible HTTP service allows low-privileged authenticated attackers to achieve full system takeover, directly enabling exploitation of the public-facing application (T1190) and privilege escalation via software vulnerability (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21565Same product: Oracle Agile Product Lifecycle Management
CVE-2025-21564Same product: Oracle Agile Product Lifecycle Management
CVE-2025-30751Same vendor: Oracle
CVE-2025-30743Same vendor: Oracle
CVE-2026-46823Same vendor: Oracle
CVE-2025-30744Same vendor: Oracle
CVE-2025-21506Same vendor: Oracle
CVE-2025-21516Same vendor: Oracle
CVE-2026-46837Same vendor: Oracle
CVE-2026-34309Same vendor: Oracle

Affected Assets

oracle
agile product lifecycle management
9.3.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through application of Oracle Critical Patch Update patches directly eliminates the incorrect authorization vulnerability in Agile Integration Services.

prevent

Enforces approved authorizations for access to system resources, directly countering the CWE-863 incorrect authorization that allows low-privileged takeover.

prevent

Limits low-privileged attackers to only essential privileges, reducing the potential impact and scope change from exploitation of the authorization flaw.

References