Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
HTTP-reachable Cloud Manager with no auth or UI required (AV:N/PR:N/UI:N); Oracle flags difficult preconditions (AC:H); full tenant takeover gives C:H/I:H/A:H within the same security authority (S:U).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM (component: Siebel Cloud Manager). Supported versions that are affected are 17.0-26.5. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel CRM Cloud Applications. Successful attacks of this vulnerability can result in takeover of Siebel CRM Cloud Applications. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Full takeover of Oracle Siebel CRM Cloud Applications (versions 17.0-26.5) is possible by unauthenticated remote attackers reaching the Siebel Cloud Manager component over HTTP, though Oracle classifies exploitation as difficult (AC:H). Successful attacks yield high impact across confidentiality, integrity, and availability - effectively complete compromise of the CRM tenant. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Technical ContextAI
The flaw resides in the Siebel Cloud Manager component of Oracle's Siebel CRM Cloud Applications, the SaaS-delivered variant of Oracle's long-running customer relationship management suite used heavily by enterprises in financial services, telco, and the public sector. The CPE (cpe:2.3:a:oracle_corporation:siebel_crm_cloud_applications) confirms the cloud-hosted edition rather than on-premises Siebel deployments, and the affected range spans Siebel Innovation Pack 17.0 through the 26.5 release line. No CWE has been assigned by Oracle, but the network-reachable HTTP attack surface combined with full CIA impact and 'takeover' wording is consistent with an authentication bypass or remote logic flaw in the Cloud Manager's web-facing management interface rather than memory corruption.
RemediationAI
Patch available per vendor advisory - apply the fixes bundled in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html); because this is a cloud-hosted product, Oracle deploys the fix to tenants, but customers should confirm patch status with Oracle Support and validate post-patch behavior in non-production tenants first. Until rollout is confirmed, restrict network exposure of any customer-managed integration endpoints by enforcing IP allow-listing in Oracle Cloud Infrastructure WAF or perimeter controls, require VPN/Zero-Trust gateways in front of Siebel UI/API access, and monitor Cloud Manager logs for unexpected administrative actions - note that aggressive IP restriction can break legitimate partner integrations and remote field-force access, so coordinate with business owners.
Remote takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) allows unauthenticated network atta
Account takeover in Oracle Siebel CRM Cloud Applications versions 17.0 through 26.5 allows a low-privileged remote attac
Privilege escalation and full takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) is possible
Adjacent-network takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) is possible via the Siebe
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37238