The vulnerability resides in the Oracle PeopleSoft Enterprise PT PeopleTools application, specifically affecting web services that process HTTP requests. An unauthenticated attacker can exploit this flaw to perform critical data operations—creating, deleting, or modifying records—and can also gain full view or control of all accessible data within PeopleSoft. Because the flaw allows actions without prior authentication, the confidentiality and integrity of enterprise data are severely compromised. The primary weakness underpinning the attack is improper access control, which permits privilege escalation through web interfaces.

Oracle Corporation’s PeopleSoft Enterprise PT PeopleTools version 8.61 and 8.62 are affected. These versions are deployed in various enterprise environments that rely on the PeopleSoft toolset for business operations. If a system uses either of these releases, it is susceptible to the described exploitation, even if the attack is carried out against other interconnected applications due to the scope change potential.

The CVSS score of 8.7 indicates a high severity with major confidentiality and integrity impacts. The EPSS score of less than 1% shows a low probability of exploitation in the wild, but the lack of a KEV listing does not preclude targeted attacks. The exploitation requires only network reachability to the PeopleSoft HTTP endpoint and no user authentication. Given these constraints, organizations that expose PeopleSoft to external networks or have weak perimeter controls pose a higher risk, whereas those that tightly control internal access may see a reduced threat level.