Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Network HTTP reach (AV:N), straightforward once authorized (AC:L), requires existing high privilege in iSupport (PR:H), no user interaction, and scope change with full CIA impact on adjacent EBS components.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Privileged remote takeover of Oracle iSupport (Oracle E-Business Suite, Internal Operations component) affects versions 12.2.3 through 12.2.15, where an authenticated high-privilege attacker with HTTP access can fully compromise the application with scope change into adjacent E-Business Suite components. The CVSS 9.1 score reflects the cross-component blast radius rather than ease of access, since PR:H means the attacker must already hold elevated privileges. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already hold a high-privilege account in Oracle iSupport (CVSS PR:H) and to be able to reach the iSupport HTTP endpoints over the network; no user interaction is needed (UI:N) and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and 9.1 score are driven almost entirely by the scope change and full CIA impact, not by ease of access - PR:H means an attacker must first hold high privileges in iSupport, which materially limits the realistic threat compared to a PR:N RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An insider or a compromised business partner who already holds a high-privilege iSupport responsibility (for example through credential phishing or reuse against an EBS user with internal-operations access) sends crafted HTTP requests to the vulnerable iSupport endpoint and pivots beyond iSupport into adjacent E-Business Suite components thanks to the scope change, taking over iSupport data and influencing connected modules. No public exploit code is identified at time of analysis, so initial exploitation would require attacker-developed tooling derived from the patch diff. |
| Remediation | Apply Patch available per vendor advisory by installing the June 2026 Oracle Critical Patch Update fixes for E-Business Suite iSupport as published at https://www.oracle.com/security-alerts/cspujun2026.html, prioritizing the patch corresponding to your exact 12.2.x release level. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all systems running Oracle iSupport 12.2.3-12.2.15; immediately audit and restrict high-privilege account access to business-critical personnel only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Oracle Isupport
View allTakeover of Oracle iSupport in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated
Full takeover of Oracle iSupport (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37258