Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable EBS HTTP tier (AV:N), low complexity per Oracle (AC:L), requires any valid EBS user (PR:L), no interaction (UI:N), and Oracle states full module takeover yielding C:H/I:H/A:H within the same scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in takeover of Oracle Cost Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Account takeover in Oracle Cost Management (E-Business Suite, versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the Cost Planning component over HTTP. The flaw yields high confidentiality, integrity, and availability impact with no user interaction required, and is addressed in Oracle's June 2026 Critical Patch Update. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the Oracle E-Business Suite application/HTTP tier hosting the Cost Management module and a valid low-privileged EBS user credential (PR:L); no user interaction, no admin role, and no scope change are required, and the targeted versions are EBS Cost Management 12.2.3 through 12.2.15. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine priority for any organization running EBS 12.2: CVSS 3.1 base 8.8 with AV:N/AC:L/PR:L/UI:N and full C/I/A impact means a single low-privileged EBS account - which many enterprises issue broadly to employees, contractors, and partners - can take over Cost Management. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or been issued any low-privileged Oracle E-Business Suite account - for example a self-service employee, supplier portal user, or a credential harvested via phishing - authenticates to the EBS web tier and sends crafted HTTP requests to the Cost Planning component, abusing the undisclosed flaw to escalate within Cost Management and read, modify, or destroy cost data and configurations. No user interaction or additional privileges are required and attack complexity is low, but no public exploit has been identified at time of analysis. |
| Remediation | Apply the fixes shipped in Oracle's Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) for Oracle E-Business Suite 12.2.3-12.2.15; Oracle delivers EBS fixes as cumulative patch sets through My Oracle Support, so install the CPU-aligned patch for your exact 12.2.x level rather than waiting for a point release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Oracle EBS Cost Management instances in versions 12.2.3-12.2.15; immediately restrict Cost Planning access by IP whitelist and disable remote access if non-critical. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Oracle Cost Management
View allRemote takeover of Oracle Cost Management (component: Cost Planning) within Oracle E-Business Suite versions 12.2.3 thro
Full compromise of Oracle Cost Management (component: Cost Planning) in Oracle E-Business Suite versions 12.2.3 through
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37245