Cyber Resilience

CVE-2025-21564

High

Published: 21 January 2025

Published
21 January 2025
Modified
29 April 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0045 64.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21564 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Oracle Agile Product Lifecycle Management. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-21564 is a vulnerability in the Oracle Agile PLM Framework product, which is part of Oracle Supply Chain. The affected component is Agile Integration Services, with the supported version 9.3.6 being vulnerable. This issue, associated with CWE-732, carries a CVSS 3.1 Base Score of 8.1, with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, highlighting high impacts on confidentiality and availability.

A low-privileged attacker with network access via HTTP can easily exploit this vulnerability to compromise the Oracle Agile PLM Framework. Successful exploitation enables unauthorized access to critical data or complete access to all data accessible by the framework, as well as the unauthorized ability to cause a hang or frequently repeatable crash, resulting in a complete denial of service (DoS).

Oracle has published a security alert detailing this vulnerability at https://www.oracle.com/security-alerts/cpujan2025.html, which security practitioners should consult for specific patch information and mitigation guidance.

EU & UK References

Vulnerability details

Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Agile Integration Services). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile…

more

PLM Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM Framework accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Agile PLM Framework. CVSS 3.1 Base Score 8.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Network-accessible vuln in Oracle Agile PLM Framework (HTTP, PR:L) directly enables T1190 for exploitation of public-facing app; facilitates T1213 for unauthorized collection of data from the PLM information repository; and enables T1499.004 for DoS via application crash/hang through exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21565Same product: Oracle Agile Product Lifecycle Management
CVE-2025-21556Same product: Oracle Agile Product Lifecycle Management
CVE-2025-21571Same vendor: Oracle
CVE-2026-46829Same vendor: Oracle
CVE-2026-46834Same vendor: Oracle
CVE-2025-21547Same vendor: Oracle
CVE-2025-21506Same vendor: Oracle
CVE-2025-21516Same vendor: Oracle
CVE-2026-35245Same vendor: Oracle
CVE-2025-50105Same vendor: Oracle

Affected Assets

oracle
agile product lifecycle management
9.3.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of known flaws like CVE-2025-21564 in Oracle Agile PLM Framework's Agile Integration Services to prevent low-privileged exploitation leading to unauthorized data access and DoS.

prevent

Enforces least privilege to limit the scope and impact of unauthorized access to critical data granted to low-privileged attackers via this vulnerability.

prevent

Implements denial-of-service protections to mitigate hangs or repeatable crashes of the Oracle Agile PLM Framework caused by exploitation.

References