Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable EBS HTTP endpoint (AV:N), low complexity (AC:L), requires any authenticated EBS user (PR:L), no user interaction, and Oracle states full product takeover yielding C:H/I:H/A:H within the same security authority (S:U).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Advanced Outbound Telephony product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks of this vulnerability can result in takeover of Oracle Advanced Outbound Telephony. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Account takeover in Oracle Advanced Outbound Telephony (E-Business Suite component, versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker with HTTP access to fully compromise the product's confidentiality, integrity, and availability. Oracle has published a fix in the June 2026 Critical Patch Update, and the CVSS 3.1 base score of 8.8 reflects an easily exploitable network-borne flaw, though no public exploit identified at time of analysis and EPSS data was not provided.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) network reachability to the Oracle E-Business Suite web tier serving the Advanced Outbound Telephony module over HTTP, (2) a valid low-privileged EBS account (PR:L - any authenticated EBS user, not anonymous), and (3) the target running EBS 12.2 at a level between 12.2.3 and 12.2.15 inclusive with the Advanced Outbound Telephony product (Internal Operations component) deployed and accessible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H paints a high-impact picture: network-reachable, low-complexity, only a low-privileged account needed, no user interaction, and full CIA loss on the targeted product. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained any low-privileged EBS account - for example via phishing of an internal user or reuse of a leaked self-service/iSupplier credential - sends crafted HTTP requests to the Advanced Outbound Telephony Internal Operations endpoints on the EBS web tier. The request abuses the flaw to escalate within the module and fully take over Advanced Outbound Telephony, allowing the attacker to read or modify outbound campaign data, contact lists, and dialer configuration, and to disrupt the dialer service. |
| Remediation | Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html), which is the patch available per vendor advisory for EBS 12.2.3 through 12.2.15; exact post-patch version strings are tracked in the CPU readme and should be matched against your current EBS 12.2 RUP level. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running Oracle Advanced Outbound Telephony versions 12.2.3-12.2.15; document current patch status and user access levels. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote unauthenticated compromise of Oracle Advanced Outbound Telephony (Oracle E-Business Suite, Internal Operations co
Account takeover in Oracle Advanced Outbound Telephony (E-Business Suite versions 12.2.3 through 12.2.15) allows a low-p
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37262