Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable HTTP endpoint (AV:N), no special conditions beyond a low-privileged EBS account (AC:L, PR:L), no user interaction, and Oracle states full takeover of iSetup yielding C:H/I:H/A:H within the same authorization scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle iSetup product of Oracle E-Business Suite (component: General Ledger Update Transform, Reports). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iSetup. Successful attacks of this vulnerability can result in takeover of Oracle iSetup. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Account takeover of Oracle iSetup (component of Oracle E-Business Suite 12.2.3 through 12.2.15) is achievable by a low-privileged authenticated attacker reaching the General Ledger Update Transform / Reports component over HTTP. The flaw is rated CVSS 8.8 with full confidentiality, integrity, and availability impact, and no public exploit has been identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must reach the Oracle E-Business Suite application tier over HTTP/HTTPS and hold a valid EBS user account with sufficient responsibility to invoke the Oracle iSetup module's General Ledger Update Transform or Reports functionality (PR:L per Oracle's vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed but lean toward meaningful enterprise risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has phished or password-sprayed a low-privilege EBS user account with iSetup access logs into the EBS application tier over HTTPS, navigates to (or directly POSTs to) the General Ledger Update Transform / Reports endpoint, and submits a crafted request that abuses the vulnerable component to gain full control of the iSetup module - reading and modifying General Ledger configuration migrations and pivoting deeper into the EBS instance. No user interaction by another party is required, and no public POC has been observed at time of analysis. |
| Remediation | Apply the Oracle June 2026 Critical Patch Update for E-Business Suite as described at https://www.oracle.com/security-alerts/cspujun2026.html (Patch available per vendor advisory; the CPU bundles the iSetup fix for all supported 12.2.x lines). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Oracle E-Business Suite 12.2.3 through 12.2.15 instances and disable HTTP access to iSetup components; restrict to HTTPS and authorized networks. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37252