Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
HTTP-reachable Metadata Plugin (AV:N/AC:L), no attacker auth (PR:N), requires victim operator interaction (UI:R), and compromise of OEM cascades into managed targets (S:C, C/I/A:H).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metadata Plugin). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker over HTTP coerces a victim user into interacting with a crafted request targeting the Metadata Plugin component. The flaw is scope-changing and yields full confidentiality, integrity, and availability impact on the platform and potentially adjacent products. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) network HTTP reachability to an Oracle Enterprise Manager Base Platform 13.5 or 24.1 deployment's Metadata Plugin component, and (2) human interaction from a user other than the attacker - typically an authenticated OEM operator clicking a crafted link or visiting attacker-controlled content while logged in. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All signals point to high real-world risk: CVSS 3.1 base score 9.6 with AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H means low-complexity, unauthenticated, network-borne exploitation with scope change and total CIA impact, limited only by required user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts or emails a crafted URL that points at an OEM Metadata Plugin endpoint; when an OEM administrator with an active session clicks it, the request is processed in the victim's context and pivots into full takeover of the OEM Base Platform, with the scope change extending impact to the databases and targets OEM manages. No public exploit is identified at time of analysis, but the AC:L/UI:R profile makes phishing-based delivery highly practical once technical details circulate. |
| Remediation | Apply the fixes shipped in Oracle's June 2026 Critical Patch Update (Patch available per vendor advisory) by following the version-specific patch guidance at https://www.oracle.com/security-alerts/cspujun2026.html for OEM 13.5 and 24.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
WITHIN 24 HOURS: Immediately identify all instances of Oracle Enterprise Manager Base Platform 13.5 and 24.1; restrict network access to administrative networks only and disable external HTTP access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Full takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible by a low-privileged remote attacker v
Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Metadata P
Privilege escalation and full takeover in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Target Management compo
Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible through the Discovery Framework
Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network a
Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to
Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Deployment Library comp
Privileged remote tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Install component) allows an authe
Authenticated takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Agent Next Gen compo
Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthentica
Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component)
Full takeover of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1) is possible by an authenticated, high-
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37349