Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network HTTP reachable EBS web tier with low complexity; PR:L because a valid EBS application account is required; UI:N and full CIA impact consistent with vendor-stated 'takeover' of the module.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in takeover of Oracle Cost Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle Cost Management (component: Cost Planning) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by a low-privileged attacker over HTTP, yielding full compromise of confidentiality, integrity, and availability (CVSS 8.8). The advisory was published in Oracle's June 2026 Critical Patch Update and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must hold valid credentials for any Oracle E-Business Suite application user account (PR:L) and must be able to reach the EBS web tier - specifically the Oracle Cost Management module's Cost Planning component - over HTTP/HTTPS. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine priority for organizations running EBS 12.2 internally, but not an unauthenticated internet emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A contractor with a basic EBS application account, or an attacker who phished an entry-level employee's SSO credentials, logs into the EBS web tier and issues a crafted HTTP request against a Cost Planning page or servlet that fails to enforce proper authorization, allowing them to manipulate cost data, exfiltrate sensitive financial information, or pivot to full Cost Management takeover. No user interaction by a second party is required and no public exploit identified at time of analysis, but the AC:L/UI:N profile means a working request would be highly reliable once developed. |
| Remediation | Apply the Oracle June 2026 Critical Patch Update fixes for Oracle E-Business Suite Cost Management as documented at https://www.oracle.com/security-alerts/cspujun2026.html; Oracle publishes per-version patch numbers in My Oracle Support notes referenced from that advisory, so identify the patch corresponding to your exact 12.2.x baseline (12.2.3 through 12.2.15) and apply it via adop in the EBS R12.2 online patching cycle. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all production systems running Oracle EBS 12.2.3-12.2.15; document user accounts with Cost Planning module access; enable comprehensive logging of Cost Management API activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Oracle Cost Management
View allAccount takeover in Oracle Cost Management (E-Business Suite, versions 12.2.3 through 12.2.15) allows a low-privileged r
Full compromise of Oracle Cost Management (component: Cost Planning) in Oracle E-Business Suite versions 12.2.3 through
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37255