Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Network-reachable EBS web tier (AV:N), Oracle calls it easily exploitable (AC:L), requires a low-privileged EBS account (PR:L), no user interaction, high confidentiality and only partial availability impact with no integrity change.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Asset Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Asset Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Asset Management. CVSS 3.1 Base Score 7.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L).
AnalysisAI
Information disclosure and partial denial of service in Oracle E-Business Suite Enterprise Asset Management (versions 12.2.3 through 12.2.15) allows a low-privileged authenticated attacker with HTTP network access to read all data accessible to the Enterprise Asset Management module and degrade its availability. Oracle rates the issue 7.1 CVSS 3.1 and describes it as easily exploitable. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must hold a valid low-privileged Oracle E-Business Suite account (PR:L) and have HTTP/HTTPS reachability to the EBS web tier hosting the Enterprise Asset Management Internal Operations component, against EBS versions 12.2.3 through 12.2.15; no user interaction, no admin role, and no special non-default configuration is required beyond having EAM deployed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L describes a network-reachable, low-complexity attack requiring only a low-privileged EBS account and no user interaction, which is realistic for any organisation with self-service EBS users or contractors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A contractor or junior maintenance user with a valid but low-privileged EBS account authenticates to the EBS web tier over HTTP/HTTPS and issues crafted requests to the EAM Internal Operations endpoints, retrieving the full set of EAM-accessible records (work orders, asset data, internal operations details) that their responsibility should not expose. The same attacker can repeat resource-intensive requests to cause partial denial of service of the EAM module, degrading maintenance operations for legitimate users. … |
| Remediation | Patch available per vendor advisory: apply the fixes bundled in the Oracle Critical Patch Update of June 2026 documented at https://www.oracle.com/security-alerts/cspujun2026.html, which covers EBS 12.2.3 through 12.2.15. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running Oracle EBS Enterprise Asset Management module versions 12.2.3-12.2.15 and document current user access levels. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37248