CVE-2025-21526
📋 TL;DR
This is a Cross-Site Request Forgery (CSRF) vulnerability in Oracle Primavera P6 Enterprise Project Portfolio Management Web Access. It allows authenticated attackers with low privileges to trick users into performing unauthorized actions, potentially modifying or accessing project data. Affected organizations use Primavera P6 versions 20.12.1.0 through 23.12.10.0.
💻 Affected Systems
- Oracle Primavera P6 Enterprise Project Portfolio Management
📦 What is this software?
Primavera P6 Enterprise Project Portfolio Management by Oracle
View all CVEs affecting Primavera P6 Enterprise Project Portfolio Management →
Primavera P6 Enterprise Project Portfolio Management by Oracle
View all CVEs affecting Primavera P6 Enterprise Project Portfolio Management →
⚠️ Risk & Real-World Impact
Worst Case
An attacker could manipulate project data, insert malicious content, delete critical project information, or exfiltrate sensitive project details, potentially disrupting operations and causing data integrity issues.
Likely Case
Attackers with basic access could modify project timelines, budgets, or resource allocations through tricked users, leading to project management disruptions and data corruption.
If Mitigated
With proper CSRF protections and user awareness, impact is limited to unsuccessful attack attempts with minimal operational disruption.
🎯 Exploit Status
Exploitation requires authenticated low-privilege access and social engineering to trick users. CVSS indicates easily exploitable with low attack complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Critical Patch Update from January 2025 or later
Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2025.html
Restart Required: Yes
Instructions:
1. Download Critical Patch Update from Oracle Support. 2. Apply patch following Oracle's installation instructions. 3. Restart Primavera P6 services. 4. Verify patch application.
🔧 Temporary Workarounds
Implement CSRF Tokens
allAdd anti-CSRF tokens to all state-changing requests
Requires application code modification - consult Oracle documentation
SameSite Cookie Attribute
allSet SameSite=Strict or Lax attributes on session cookies
Set-Cookie: session=value; SameSite=Strict; Secure; HttpOnly
🧯 If You Can't Patch
- Implement web application firewall with CSRF protection rules
- Enforce strict user privilege separation and monitor for unusual data modifications
🔍 How to Verify
Check if Vulnerable:
Check Primavera P6 version against affected ranges in Oracle advisoryCheck Version:
Check version in Primavera P6 Web Access interface or administration consoleVerify Fix Applied:
Verify patch application through Oracle P6 administration console and check version is beyond affected ranges📡 Detection & Monitoring
Log Indicators:
- Unusual data modification patterns
- Multiple failed state-changing requests from same source
- Requests missing expected referrer headers
Network Indicators:
- HTTP POST requests without CSRF tokens
- Cross-origin requests to state-changing endpoints
SIEM Query:
source="primavera-p6" AND (action="modify" OR action="delete" OR action="insert") AND user_privilege="low" AND referrer NOT CONTAINS "expected-domain"