PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3325 Oracle CVE debrief

CVE-2017-3325 is a high-severity vulnerability in Oracle Siebel CRM's Siebel UI Framework component (subcomponent: EAI) affecting version 16.1. Oracle and NVD describe it as easily exploitable by an unauthenticated attacker with network access via HTTP, but successful exploitation requires human interaction. Oracle's impact language and the NVD vector indicate confidentiality and integrity exposure, including unauthorized access to critical data and potential update, insert, or delete access to some accessible data.

Vendor
Oracle
Product
CVE-2017-3325
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle Siebel CRM administrators, application owners, identity and access teams, and security teams responsible for internet- or intranet-facing Siebel UI Framework 16.1 deployments should prioritize this advisory. Any environment where users may interact with attacker-controlled content or requests deserves attention because the vulnerability requires human interaction and can affect data confidentiality and integrity.

Technical summary

The NVD record maps CVE-2017-3325 to oracle:siebel_ui_framework:16.1 and lists the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, with a base score of 8.2. The description states that an unauthenticated network attacker using HTTP can compromise Siebel UI Framework, but the attack depends on a person other than the attacker interacting with the malicious content or request. Oracle's description further notes that exploitation may significantly impact additional products and can lead to unauthorized access to critical data or to modify some accessible data.

Defensive priority

High

Recommended defensive actions

  • Confirm whether Oracle Siebel UI Framework 16.1 is deployed anywhere in the environment and inventory all exposed instances.
  • Review the Oracle Critical Patch Update referenced in the vendor advisory for applicable fixes and apply the vendor-recommended remediation path.
  • Restrict network exposure to Siebel UI Framework where possible, especially HTTP-accessible interfaces.
  • Reduce the chance of required user interaction by warning users about suspicious links, prompts, and externally supplied content related to Siebel access.
  • Monitor for unusual access patterns or unauthorized changes affecting Siebel data and dependent systems.
  • Validate compensating controls and segmentation around any systems that share trust relationships with Siebel UI Framework because the advisory notes possible impact to additional products.

Evidence notes

All claims are derived from the supplied NVD record and its listed references. The source data identifies the affected CPE as oracle:siebel_ui_framework:16.1, the CVSS v3.0 vector as AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, and the vulnerability as requiring human interaction while allowing unauthorized access or modification of some accessible data. Reference URLs listed in the record point to Oracle's January 2017 Critical Patch Update advisory, plus SecurityFocus and SecurityTracker entries.

Official resources

CVE-2017-3325 was published by the source record on 2017-01-27T22:59:04.773Z and later modified on 2026-05-13T00:24:29.033Z. The CVE issue date for this debrief is the published date, not the later modification timestamp.