Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
JDENET is a network service reachable without credentials or user interaction (AV:N/AC:L/PR:N/UI:N); full takeover yields C:H/I:H/A:H with no scope change indicated.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle JD Edwards EnterpriseOne Tools (versions 9.2.0.0 through 9.2.26.2) is possible by unauthenticated network attackers reaching the JDENET communications service, with no public exploit identified at time of analysis. The flaw resides in the Enterprise Infrastructure Security component and yields full confidentiality, integrity, and availability impact (CVSS 9.8), making any internet- or partner-network-exposed JDENET listener an urgent patching priority.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the JDENET service of an Oracle JD Edwards EnterpriseOne Tools deployment on any version from 9.2.0.0 through 9.2.26.2, with no authentication, no user interaction, and no special configuration - JDENET is enabled by default as it is the core inter-process protocol for EnterpriseOne. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All severity signals point to high real-world risk: CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N gives a 9.8 score with full C/I/A impact, and Oracle itself describes the issue as 'easily exploitable' leading to 'takeover.' EPSS data, KEV status, and SSVC decision points were not supplied, so probabilistic exploitation likelihood cannot be quantified, and there is no public exploit identified at time of analysis. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to the JDENET listener (for example, a foothold on a user VLAN, an exposed partner connection, or a compromised contractor laptop) sends a crafted JDENET message to the EnterpriseOne enterprise server without supplying any credentials. The flaw in the Enterprise Infrastructure Security component is triggered during message processing, granting takeover of the Tools tier and from there access to ERP data, financial transactions, and downstream database credentials. … |
| Remediation | Apply the patch delivered in the Oracle Critical Patch Update for June 2026 referenced at https://www.oracle.com/security-alerts/cspujun2026.html; Oracle has not published an exact fixed Tools release in the provided data, so the patch should be obtained directly from My Oracle Support and verified against the CPU advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
**Within 24 hours:** Inventory all Oracle JD Edwards EnterpriseOne Tools instances running versions 9.2.0.0-9.2.26.2; restrict JDENET communication ports (default TCP 6009) from internet and untrusted networks; apply firewall rules limiting access to trusted internal subnets only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Rated critical severity (CVS
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
Vulnerability in the Advanced Networking Option component of Oracle Database Server. Rated high severity (CVSS 8.3), thi
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37373