CVE-2025-30747 is a medium-severity vulnerability affecting Oracle Corporation's PeopleSoft Enterprise PeopleTools, specifically versions 8.60, 8.61, and 8.62. The vulnerability resides in the PIA Core Technology component and allows an unauthenticated attacker with network access via HTTP to potentially compromise the system. Exploitation requires human interaction from a user other than the attacker, indicating a social engineering element is necessary to trigger the vulnerability. Successful exploitation results in unauthorized read access to a subset of data accessible through PeopleSoft Enterprise PeopleTools. The CVSS 3.1 base score is 4.3, reflecting a low confidentiality impact without affecting integrity or availability. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), but requires user interaction (UI:R). The scope remains unchanged (S:U), and the impact is limited to confidentiality (C:L) with no impact on integrity (I:N) or availability (A:N). The underlying weakness is classified under CWE-863, which relates to improper authorization. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability could be exploited by tricking a user into performing an action that allows the attacker to read sensitive data from PeopleSoft systems over HTTP, potentially exposing confidential organizational information.

For European organizations using Oracle PeopleSoft Enterprise PeopleTools versions 8.60 to 8.62, this vulnerability poses a risk of unauthorized disclosure of sensitive data. Although the impact is limited to confidentiality and does not affect system integrity or availability, unauthorized read access can lead to exposure of personal data, intellectual property, or other sensitive business information. This could result in regulatory compliance issues under GDPR, reputational damage, and potential financial penalties. The requirement for user interaction means phishing or social engineering campaigns could be used to exploit this vulnerability, increasing the risk in environments with less user security awareness. Since PeopleSoft is widely used in sectors such as government, education, and large enterprises across Europe, the vulnerability could be leveraged to gain insights into internal processes or personnel data, which could be further exploited in targeted attacks or espionage. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

European organizations should prioritize the following mitigations: 1) Implement strict network segmentation and firewall rules to restrict HTTP access to PeopleSoft Enterprise PeopleTools interfaces only to trusted internal users and systems. 2) Enhance user awareness training focused on phishing and social engineering to reduce the likelihood of successful user interaction exploitation. 3) Monitor network traffic and application logs for unusual access patterns or attempts to exploit PeopleSoft HTTP interfaces. 4) Apply principle of least privilege to PeopleSoft users to limit data exposure if compromised. 5) Since no patches are currently linked, organizations should engage with Oracle support to obtain timely updates or workarounds as they become available. 6) Consider deploying web application firewalls (WAF) with custom rules to detect and block suspicious HTTP requests targeting PeopleSoft endpoints. 7) Conduct regular vulnerability assessments and penetration testing focused on PeopleSoft environments to identify and remediate exposure. 8) Review and harden PeopleSoft configuration settings to minimize unnecessary data exposure over HTTP.