CVE-2017-10366

CRITICAL

Oracle PeopleSoft Products <8.57 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-10366. PoCs published by Vahagn Vardanyan, blazeinfosec.

AI-analyzed exploit summary This is a writeup describing a deserialization vulnerability (CVE-2017-10366) in Oracle PeopleSoft 8.54-8.56. It outlines the HTTP request structure for exploitation but does not include actual exploit code or payloads.

Description

Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of Oracle PeopleSoft Products (subcomponent: Performance Monitor). Supported versions that are affected are 8.54, 8.55 and 8.56. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (2)

exploitdb WRITEUP
by Vahagn Vardanyan · textwebappsjava
https://www.exploit-db.com/exploits/43594

This is a writeup describing a deserialization vulnerability (CVE-2017-10366) in Oracle PeopleSoft 8.54-8.56. It outlines the HTTP request structure for exploitation but does not include actual exploit code or payloads.

Classification
Writeup 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Theoretical
Target: Oracle PeopleSoft 8.54, 8.55, 8.56
No auth needed
Prerequisites: knowledge of the target site name (%SITE_NAME%)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 25 stars
by blazeinfosec · poc
https://github.com/blazeinfosec/CVE-2017-10366_peoplesoft

This repository contains a functional Python script that exploits CVE-2017-10366, a Java deserialization vulnerability in Oracle PeopleSoft. It leverages ysoserial-modified.jar to generate payloads and sends them to a target URL to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle PeopleSoft 8.54, 8.55, 8.56
No auth needed
Prerequisites: ysoserial-modified.jar in the same directory · valid target URL with monitor name/ID
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039598
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43594/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/101455

Scores

CVSS v3 9.8
EPSS 0.4349
EPSS Percentile 98.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

Status published
Products (6)
oracle/peoplesoft_enterprise_peopletools 8.54
oracle/peoplesoft_enterprise_peopletools 8.55
oracle/peoplesoft_enterprise_peopletools 8.56
Oracle Corporation/PeopleSoft Enterprise PT PeopleTools 8.54
Oracle Corporation/PeopleSoft Enterprise PT PeopleTools 8.55
Oracle Corporation/PeopleSoft Enterprise PT PeopleTools 8.56
Published Oct 19, 2017
Tracked Since Feb 18, 2026