Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable via SMB (AV:N), Oracle states easily exploitable (AC:L), requires a low-privileged account (PR:L), no user interaction, and full takeover with scope change to adjacent products.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the JD Edwards EnterpriseOne General Ledger product of Oracle JD Edwards (component: E1 Foundation). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via SMB to compromise JD Edwards EnterpriseOne General Ledger. While the vulnerability is in JD Edwards EnterpriseOne General Ledger, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne General Ledger. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Privilege escalation and full takeover of Oracle JD Edwards EnterpriseOne General Ledger 9.2 (E1 Foundation component) is possible by a low-privileged network attacker via SMB, with scope change to other products. No public exploit identified at time of analysis, but the CVSS 9.9 score and 'easily exploitable' vendor characterization make this a high-priority patching target for ERP operators.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must have network reachability to the SMB service (TCP/445) of a JD Edwards EnterpriseOne General Ledger 9.2 server running the E1 Foundation component, and must hold a low-privileged authenticated account (PR:L per the CVSS vector - not unauthenticated). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All signals point to a high-priority issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a low-privileged account on the corporate network - for example through phishing a finance clerk or compromising a service account - connects to the JD Edwards EnterpriseOne server over SMB and sends a crafted request to the E1 Foundation that triggers the vulnerability. Because the scope changes, the attacker not only takes over the General Ledger module but also impacts adjacent JD Edwards components, potentially manipulating financial postings, exfiltrating sensitive accounting data, or staging further ERP-wide compromise. … |
| Remediation | Apply the patches from Oracle's June 2026 Critical Patch Update for JD Edwards (Patch available per vendor advisory: https://www.oracle.com/security-alerts/cspujun2026.html) - an exact fix tools-release version is not enumerated in the supplied data, so confirm the specific Tools Release or ESU level in the CPU matrix before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Enumerate all JDE 9.2 General Ledger deployments; restrict SMB access (ports 139, 445) at network perimeter; enable detailed logging on SMB authentication. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37385