Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Oracle states unauthenticated HTTP attacker achieves component takeover with full CIA impact, matching AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps - Marketing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle Siebel CRM's Siebel Apps - Marketing component (versions 17.0 through 26.5) is possible by unauthenticated attackers reaching the application over HTTP, per Oracle's June 2026 Critical Patch Update. With a 9.8 CVSS base score and full confidentiality/integrity/availability impact, this represents a top-priority Oracle CPU finding, though no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Technical ContextAI
The flaw resides in the Marketing component of Oracle's Siebel CRM suite - a long-standing enterprise customer relationship management platform commonly fronted by HTTP-based application servers and web tier components. The CPE 'cpe:2.3:a:oracle_corporation:siebel_apps_-_marketing' confirms the affected module is the Marketing application within Siebel CRM rather than the broader Siebel core. No CWE was assigned by Oracle (typical for Oracle CPU disclosures, which omit root-cause classification), so the underlying weakness class - whether deserialization, injection, authentication bypass, or an unsafe servlet endpoint - is not disclosed; the 'complete takeover' language combined with AV:N/PR:N strongly implies an unauthenticated remote code execution or full administrative bypass primitive reachable on the HTTP interface.
RemediationAI
Apply the patches from Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) to every Siebel CRM deployment running the Marketing component on versions 17.0 through 26.5 - Oracle CPU patches are cumulative within a release line, so install the latest available bundle for your Siebel version rather than only the named fix. Until patching is complete, restrict network reachability of the Siebel Marketing HTTP endpoints to trusted internal networks via firewall or reverse-proxy ACLs, disable internet exposure of the Marketing application URLs at the web tier, and place a WAF in front of the Siebel web servers with rules blocking anomalous requests to Marketing servlets - these controls reduce attack surface but do not eliminate insider or lateral-movement exploitation paths, and may break legitimate external marketing campaign callbacks. Monitor Siebel application and web-server logs for unexpected POST traffic and new administrative actions on the Marketing component.
More in Siebel Apps Marketing
View allWhen using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a)
Unauthenticated remote takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible via HTTP, all
Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is achievable over HTTP,
Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible over HTTP, re
Authenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) allows a low-privileged attacker w
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. Rated low severity (CVSS 3.7), this
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37382