Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Network-reachable HTTP endpoint (AV:N) with no special conditions (AC:L), requires a high-privileged EBS/iSupport account (PR:H), no user interaction, and impact crosses into other EBS modules (S:C) with full CIA loss.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Takeover of Oracle iSupport in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged attacker over HTTP, with scope-changed impact extending to additional EBS components. The CVSS 3.1 base score of 9.1 reflects full confidentiality, integrity, and availability loss beyond the vulnerable component itself. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) network HTTP reachability to the Oracle E-Business Suite application tier hosting the iSupport module, (2) the target running an affected EBS 12.2.x release between 12.2.3 and 12.2.15 inclusive with the iSupport product deployed and the 'Internal Operations' component active, and (3) an authenticated session with high privileges within iSupport/EBS (PR:H per CVSS vector) - anonymous or low-privilege EBS users cannot trigger the flaw. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) describes a network-reachable, low-complexity attack that nonetheless requires high privileges, which materially gates real-world exploitability: an attacker must already hold an elevated EBS account (administrative or equivalent role on iSupport) before the flaw produces its high impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or is assigned a high-privileged Oracle EBS account - for example, a compromised iSupport administrator credential reused from a phishing campaign, or a malicious insider with elevated responsibilities - sends crafted HTTP requests to the iSupport Internal Operations endpoints on the EBS application tier. The request triggers the scope-changing flaw to fully take over the iSupport module and pivot to manipulate confidentiality, integrity, and availability of additional EBS components such as related self-service or back-office modules. … |
| Remediation | Apply the Oracle Critical Patch Update for June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html - Patch available per vendor advisory; Oracle has not published a discrete fixed micro-version in the supplied intelligence, so use the CPU patch matrix for your exact 12.2.x release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and audit all high-privileged user accounts with iSupport access; review administrative activity logs for anomalies; escalate findings to security leadership. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Oracle Isupport
View allPrivileged remote takeover of Oracle iSupport (Oracle E-Business Suite, Internal Operations component) affects versions
Full takeover of Oracle iSupport (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37259