Severity by source
AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Adjacent layer-2 access required (AV:A), high complexity preconditions (AC:H), unauthenticated and no user interaction, with scope change enabling full C/I/A compromise of Siebel and integrated products.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM (component: Siebel Cloud Manager). Supported versions that are affected are 17.0-26.5. Difficult to exploit vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where the Siebel CRM Cloud Applications executes to compromise Siebel CRM Cloud Applications. While the vulnerability is in Siebel CRM Cloud Applications, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Siebel CRM Cloud Applications. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Adjacent-network takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) is possible via the Siebel Cloud Manager component, where an unauthenticated attacker on the same physical communication segment can fully compromise the application and pivot to other products through a scope change. The flaw carries a CVSS 3.1 base score of 8.3 with full confidentiality, integrity, and availability impact, but high attack complexity. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must have access to the physical (or layer-2 logical) communication segment attached to the hardware running Siebel CRM Cloud Applications - typically the same VLAN, virtual switch, or broadcast domain as the Siebel Cloud Manager host - and must operate against a supported version between 17.0 and 26.5. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed: CVSS 3.1 is High (8.3) due to full C/I/A impact and scope change, but the attack vector is Adjacent (AV:A) and attack complexity is High (AC:H), meaning the attacker must be on the same physical/logical communication segment and overcome non-trivial conditions to succeed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has gained a foothold on a virtual machine, container, or hardware node sharing the same layer-2 communication segment as a Siebel Cloud Manager host crafts adjacent-network traffic targeting the manager, overcoming the high-complexity preconditions to coerce it into a state that yields full control. Because the vulnerability produces a scope change, the attacker then leverages the compromised Cloud Manager to reach and impact additional integrated products such as backend databases, identity services, or other Oracle cloud components colocated on the same trust boundary. … |
| Remediation | Patch available per vendor advisory: apply the fixes from the Oracle June 2026 Siebel Cloud Patch Update at https://www.oracle.com/security-alerts/cspujun2026.html, which addresses all supported releases in the 17.0-26.5 range. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Exploitation status: no public exploit identified at time of analysis. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) allows unauthenticated network atta
Account takeover in Oracle Siebel CRM Cloud Applications versions 17.0 through 26.5 allows a low-privileged remote attac
Privilege escalation and full takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) is possible
Full takeover of Oracle Siebel CRM Cloud Applications (versions 17.0-26.5) is possible by unauthenticated remote attacke
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37241