Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
HTTP-reachable Core component exploitable by any low-privileged EBS user (AV:N/AC:L/PR:L/UI:N); scope change into other EBS modules yields C:H/I:H with only partial DoS (A:L).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L).
AnalysisAI
Scope-changing compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows a low-privileged remote attacker to read, modify, or delete all framework-accessible data and partially disrupt service via HTTP. Because CVSS scope is Changed, exploitation impacts additional Oracle E-Business Suite products beyond the Framework itself, driving the 9.9 base score. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires network reachability to the Oracle E-Business Suite application tier over HTTP/HTTPS and a valid low-privileged EBS account that can invoke the Enterprise Command Center Framework Core component (CVSS PR:L, UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is high for any internet-exposed or broadly-accessible Oracle EBS deployment running ECC V15/V16. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained any low-privilege Oracle E-Business Suite account - for example a self-registered iStore/iRecruitment user or a compromised employee SSO session - sends crafted HTTP requests to the ECC Core endpoints and abuses the flaw to read, alter, or delete data belonging to other EBS modules outside the user's normal authorization. Because Scope is Changed, the attacker can pivot from the ECC component into other EBS subsystems (financials, HR, procurement), enabling fraud, data theft, or sabotage. … |
| Remediation | Apply the patches delivered in Oracle's June 2026 Critical Patch Update for Oracle Enterprise Command Center Framework V15 and V16 as documented at https://www.oracle.com/security-alerts/cspujun2026.html; an exact post-patch build number is not enumerated in the available data, so consult the CPU advisory matrix to map your ECC release to the correct one-off patch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Disable or strictly limit HTTP access to Framework V15 and V16; implement enhanced monitoring for abnormal data access patterns and modifications. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Privileged takeover of Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) a
Privilege escalation and full takeover of Oracle Enterprise Command Center Framework (versions V15 and V16) is achievabl
Privileged data manipulation and disclosure in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privi
Remote unauthenticated takeover of Oracle Enterprise Command Center Framework (versions V15 and V16), a component of Ora
Cross-component compromise in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote atta
Privileged takeover of Oracle Enterprise Command Center Framework (ECC) versions V15 and V16, a component of Oracle E-Bu
High-impact confidentiality and integrity compromise in Oracle Enterprise Command Center Framework V15 and V16 (a compon
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37220