Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Oracle describes easy unauthenticated HTTP exploitation resulting in full takeover of the Marketing component, with no scope change beyond that module, justifying full CIA:H.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps - Marketing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Unauthenticated remote takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible via HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the marketing component. Oracle's CVSS 3.1 base score of 9.8 reflects trivial network exploitability with no authentication or user interaction, and no public exploit identified at time of analysis. The flaw was disclosed in Oracle's Critical Patch Update cycle and tracked in ENISA's EUVD as EUVD-2026-37381.
Technical ContextAI
Siebel Apps - Marketing is the marketing automation module of Oracle's Siebel CRM suite, used by enterprises for campaign management, segmentation, and customer outreach. The affected CPE (cpe:2.3:a:oracle_corporation:siebel_apps_-_marketing) covers all versions from 17.0 (the start of Siebel Innovation Pack 17) through 26.5. Oracle did not assign a CWE and provided no technical detail beyond the CVSS vector, but the AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H profile combined with HTTP as the attack channel is typical of unauthenticated injection, deserialization, or authentication-bypass classes in Java/web-tier components of Siebel.
RemediationAI
Apply the patch from Oracle's June 2026 Critical Patch Update as documented at https://www.oracle.com/security-alerts/cspujun2026.html; Patch available per vendor advisory but the exact fixed Siebel Innovation Pack or quick-fix bundle number is not enumerated in the input and should be retrieved directly from the CPU matrix for your installed version. As compensating controls until patching, restrict HTTP access to the Siebel Marketing component to known administrative and campaign-operator source networks via WAF or network ACLs, disable any externally exposed Marketing servlets or endpoints that are not in active use, and increase web-tier logging to capture anomalous POST bodies and authentication failures - note that restricting network access will block legitimate remote marketing users and external integrations such as email service providers calling back into Siebel.
More in Siebel Apps Marketing
View allWhen using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a)
Remote takeover of Oracle Siebel CRM's Siebel Apps - Marketing component (versions 17.0 through 26.5) is possible by una
Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is achievable over HTTP,
Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible over HTTP, re
Authenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) allows a low-privileged attacker w
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. Rated low severity (CVSS 3.7), this
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37381