Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Oracle states unauthenticated HTTPS exploitation is easy (AV:N, AC:L, PR:N, UI:N) with full data read/write but no service crash, so C:H/I:H/A:N and unchanged scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle In-Memory Cost Management for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.12-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle In-Memory Cost Management for Discrete Industries. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle In-Memory Cost Management for Discrete Industries accessible data as well as unauthorized access to critical data or complete access to all Oracle In-Memory Cost Management for Discrete Industries accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
AnalysisAI
Remote unauthenticated compromise of Oracle In-Memory Cost Management for Discrete Industries (Oracle E-Business Suite versions 12.2.12 through 12.2.15) allows network-based attackers to read, modify, create, or delete all data accessible to the product via HTTPS. The flaw carries a CVSS 3.1 base score of 9.1 with high confidentiality and integrity impact but no availability impact, and no public exploit has been identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must be able to reach the HTTPS interface of an Oracle E-Business Suite 12.2.12-12.2.15 deployment that has the Oracle In-Memory Cost Management for Discrete Industries product installed and its Internal Operations component exposed; no credentials, MFA, or user interaction are required (PR:N, UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to a genuinely high-priority issue: CVSS 3.1 9.1 with AV:N, AC:L, PR:N and UI:N means the vulnerability is remotely reachable, low-complexity, unauthenticated, and requires no user interaction, while C:H/I:H reflects total compromise of the product's data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An external attacker who can reach the Oracle E-Business Suite HTTPS endpoint sends a crafted request to the Internal Operations interface of the In-Memory Cost Management for Discrete Industries module without supplying valid credentials, abusing the missing authentication/authorization check implied by CVSS PR:N and the 'Authentication Bypass' tag. They then read, alter, or delete cost-management records - for example tampering with standard costs or inventory valuation data - to commit financial fraud or sabotage enterprise costing. … |
| Remediation | Apply the patch available per the Oracle Critical Patch Update Advisory of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) to Oracle E-Business Suite 12.2.12-12.2.15 - Oracle has not published an independent fix version outside the CPU bundle, so install the CPU-aligned patch set for your 12.2.x level rather than waiting for an out-of-band release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running Oracle E-Business Suite 12.2.12-12.2.15 with In-Memory Cost Management enabled; restrict network access to these systems' HTTPS ports to known administrative IP addresses only; enable full request/response logging. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37246