Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Oracle confirms unauthenticated, easily exploitable network takeover via JDENET with full CIA impact, matching AV:N/AC:L/PR:N/UI:N and C:H/I:H/A:H; no scope change indicated.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated network attackers reaching the JDENET service. The flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity and availability impact, and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker needs network reachability to the JDENET service of a JD Edwards EnterpriseOne Tools instance at version 9.2.0.0 through 9.2.26.2; per the CVSS vector (AV:N/AC:L/PR:N/UI:N) no authentication, user interaction, or non-default configuration is required against a default JDE deployment. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H represents the worst-case profile: remotely reachable, low complexity, no privileges, no user interaction, and full CIA impact - Oracle itself rates it 'easily exploitable.' No EPSS score, CISA KEV listing, public PoC, or SSVC decision data is provided in the input, so real-world exploitation cannot be characterized - the risk signal is currently CVSS- and vendor-driven only. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on a network with reachability to a JDE Enterprise Server's JDENET listener sends crafted JDENET messages to the Enterprise Infrastructure Security component, bypassing authentication and obtaining control of the Tools layer. From that foothold the attacker can read or alter ERP data, plant persistent JDE objects, or pivot into the database tier the Enterprise Server is authorized against. … |
| Remediation | Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 (cspujun2026) per https://www.oracle.com/security-alerts/cspujun2026.html; the specific Tools release version delivering the fix is not enumerated in the provided data and should be confirmed against the CPU patch matrix for your installed Tools release (9.2.0.0-9.2.26.2 are all affected). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Immediately assess external accessibility of the JDENET service (default port 6009) and restrict network access to internal/VPN sources via firewall rules or network segmentation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Rated critical severity (CVS
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
Vulnerability in the Advanced Networking Option component of Oracle Database Server. Rated high severity (CVSS 8.3), thi
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37370