CVE-2025-50061 is a medium-severity vulnerability affecting Oracle's Primavera P6 Enterprise Project Portfolio Management (EPPM) software, specifically its Web Access component. The vulnerability impacts multiple supported versions ranging from 20.12.0 through 24.12.0. It allows a low-privileged attacker with network access via HTTP to compromise the system, but successful exploitation requires human interaction from a user other than the attacker. The vulnerability results in unauthorized read, update, insert, or delete access to some data accessible through Primavera P6 EPPM. The CVSS 3.1 base score is 5.4, reflecting limited confidentiality and integrity impacts without availability impact. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring low privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The CWE associated is CWE-269, indicating improper privilege management or authorization issues. Although no known exploits are currently in the wild, the vulnerability's ease of exploitation and potential to affect additional integrated products make it a significant concern for organizations using Primavera P6 EPPM. Primavera P6 is widely used in project portfolio management, especially in construction, engineering, and large-scale project environments, where unauthorized data manipulation or disclosure could disrupt project timelines, financial planning, and resource allocation.

For European organizations, especially those in construction, engineering, infrastructure, and large-scale project management sectors, this vulnerability poses a risk of unauthorized data access and manipulation within Primavera P6 EPPM environments. Given Primavera's role in managing critical project data, exploitation could lead to compromised project schedules, budget overruns, and loss of sensitive project information. The requirement for user interaction suggests phishing or social engineering vectors could be used to trigger the exploit, increasing the risk of targeted attacks. The scope change indicates that other integrated Oracle products or connected systems might also be impacted, potentially amplifying the damage. Confidentiality impacts, although limited, could expose sensitive project details or intellectual property. Integrity impacts could allow unauthorized changes to project data, leading to erroneous reporting and decision-making. The absence of availability impact reduces the risk of denial-of-service but does not mitigate the risks to data trustworthiness and confidentiality. European organizations with Primavera P6 deployments should be aware of these risks, especially those managing critical infrastructure or government projects where data integrity and confidentiality are paramount.

1. Immediate patching: Although no patch links are provided in the current data, organizations should monitor Oracle's official channels for security updates and apply patches promptly once available. 2. Network segmentation: Restrict network access to Primavera P6 EPPM web interfaces to trusted internal networks or VPNs to reduce exposure to external attackers. 3. User awareness training: Since exploitation requires user interaction, conduct targeted training to recognize phishing and social engineering attempts that could trigger the vulnerability. 4. Implement strong access controls: Review and enforce least privilege principles for Primavera P6 users to limit the impact of compromised accounts. 5. Monitor logs and alerts: Enable detailed logging of Primavera P6 access and changes, and set up alerts for unusual activities such as unexpected data modifications or access patterns. 6. Multi-factor authentication (MFA): Enforce MFA for all users accessing Primavera P6 to reduce the risk of credential misuse. 7. Incident response readiness: Prepare response plans specifically for Primavera P6 compromise scenarios, including data integrity verification and recovery procedures. 8. Evaluate integrated products: Assess other Oracle products integrated with Primavera P6 for potential indirect impacts and apply corresponding mitigations.