CVE-2025-21528
📋 TL;DR
This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Oracle Primavera P6 Enterprise Project Portfolio Management Web Access. Unauthenticated attackers can trick authenticated users into performing unauthorized data modifications (updates, inserts, or deletes) by sending malicious HTTP requests. Affected organizations are those running vulnerable versions of Primavera P6 with web access exposed to untrusted networks.
💻 Affected Systems
- Oracle Primavera P6 Enterprise Project Portfolio Management
📦 What is this software?
Primavera P6 Enterprise Project Portfolio Management by Oracle
View all CVEs affecting Primavera P6 Enterprise Project Portfolio Management →
Primavera P6 Enterprise Project Portfolio Management by Oracle
View all CVEs affecting Primavera P6 Enterprise Project Portfolio Management →
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate critical project data, financial information, or scheduling details, potentially causing project delays, financial losses, or compliance violations.
Likely Case
Attackers modify project data, resource allocations, or timelines, disrupting project management operations and requiring manual correction.
If Mitigated
With proper CSRF protections and network segmentation, impact is limited to minor data integrity issues that can be quickly detected and rolled back.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users into clicking malicious links or visiting compromised websites.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Critical Patch Update for January 2025 or later
Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2025.html
Restart Required: Yes
Instructions:
1. Download the appropriate Critical Patch Update from Oracle Support. 2. Apply the patch following Oracle's installation documentation. 3. Restart the Primavera P6 application services. 4. Verify the patch was successfully applied.
🔧 Temporary Workarounds
Implement CSRF Tokens
allAdd anti-CSRF tokens to all state-changing requests if not already implemented
SameSite Cookie Attribute
allSet SameSite=Strict or SameSite=Lax attributes on session cookies
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Primavera P6 Web Access only to trusted internal networks
- Deploy a Web Application Firewall (WAF) with CSRF protection rules enabled
🔍 How to Verify
Check if Vulnerable:
Check Primavera P6 version against affected ranges. If version falls within affected ranges and Web Access is enabled, system is vulnerable.Check Version:
Check application version in Primavera P6 administration console or configuration filesVerify Fix Applied:
Verify version is updated beyond affected ranges. Test CSRF protection by attempting to submit forms without valid tokens.📡 Detection & Monitoring
Log Indicators:
- Multiple failed state-changing requests from same IP
- Unusual data modification patterns outside normal workflows
Network Indicators:
- HTTP POST requests without referrer headers or CSRF tokens
- Requests originating from unexpected domains
SIEM Query:
source="primavera_p6" AND (http_method="POST" OR http_method="PUT" OR http_method="DELETE") AND NOT csrf_token=*