Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Oracle's description states unauthenticated network HTTP exploitation enabling full takeover, justifying AV:N/AC:L/PR:N/UI:N with C:H/I:H/A:H and unchanged scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps - Marketing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is achievable over HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the Marketing component. Oracle's CVSS 9.8 rating reflects easy exploitation with no authentication or user interaction required, though no public exploit is identified at time of analysis and the CVE is not currently listed in CISA KEV.
Technical ContextAI
The vulnerability resides in the Marketing component of Oracle Siebel CRM's Siebel Apps - Marketing product, an enterprise customer relationship management suite widely deployed in financial services, telecommunications, and public sector environments. The affected CPE is cpe:2.3:a:oracle_corporation:siebel_apps_-_marketing covering all releases from 17.0 up to and including 26.5. Although the CWE is not specified, the combination of network-based HTTP attack vector, no privileges required, and full CIA impact is characteristic of authentication bypass, deserialization, or injection flaws commonly seen in Java-based Oracle web applications. Oracle has not publicly disclosed the root cause class, which is consistent with their standard Critical Patch Update disclosure practice.
RemediationAI
Apply the Oracle Critical Patch Update from June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html - Patch available per vendor advisory, though Oracle does not publish a single resolved version since CPU patches apply across the supported 17.0-26.5 range. Until patching is complete, restrict network access to the Siebel Marketing web tier by placing it behind a VPN or zero-trust proxy that enforces authentication before HTTP requests reach the application, accepting the trade-off that external marketing campaign management workflows may break. Web application firewall rules blocking anomalous Marketing component endpoints can serve as a secondary control, though without root-cause disclosure these rules will be best-effort pattern matching rather than precise mitigations. Inventory all Siebel Marketing instances including non-production environments, as Oracle CPU vulnerabilities are frequently reverse-engineered from the patch diff within weeks of release.
More in Siebel Apps Marketing
View allWhen using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a)
Remote takeover of Oracle Siebel CRM's Siebel Apps - Marketing component (versions 17.0 through 26.5) is possible by una
Unauthenticated remote takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible via HTTP, all
Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible over HTTP, re
Authenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) allows a low-privileged attacker w
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. Rated low severity (CVSS 3.7), this
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37379