EUVD-2026-37268Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Network HTTP reach (AV:N), Oracle states difficult to exploit (AC:H), requires a supplier-level account (PR:L), no user interaction, and full takeover of the module yields C:H/I:H/A:H within unchanged scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iSupplier Portal. Successful attacks of this vulnerability can result in takeover of Oracle iSupplier Portal. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Takeover of Oracle iSupplier Portal (E-Business Suite versions 12.2.3 through 12.2.15) is achievable by a low-privileged remote attacker over HTTP, per Oracle's June 2026 Critical Patch Update. The flaw is rated CVSS 7.5 with high confidentiality, integrity, and availability impact, but carries high attack complexity, suggesting non-trivial preconditions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) network HTTP reach to the Oracle E-Business Suite 12.2 deployment hosting the iSupplier Portal module - typical for internet-facing or extranet supplier portals; (2) valid low-privileged credentials to the iSupplier Portal (PR:L), normally a supplier account; and (3) the target running iSupplier Portal in EBS 12.2.3 through 12.2.15. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and lean toward 'patch on schedule' rather than 'emergency.' The CVSS vector confirms network reach and full CIA impact (justifying the 7.5 score), but AC:H and PR:L meaningfully constrain mass exploitation: an attacker needs a valid low-privilege account (typically a supplier login) and must satisfy non-default conditions Oracle does not disclose. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or registered a valid supplier-tier account on a target Oracle E-Business Suite 12.2.x deployment authenticates to the iSupplier Portal and sends a crafted HTTP request to an Internal Operations endpoint, exploiting a server-side flaw under conditions that are difficult to satisfy. On success the attacker achieves full takeover of the iSupplier Portal module, allowing them to read, modify, or disrupt supplier-related data and operations. … |
| Remediation | Apply the fixes from Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) to all Oracle E-Business Suite 12.2 environments running iSupplier Portal between 12.2.3 and 12.2.15; Oracle's CPU is the authoritative source for exact patch identifiers and any prerequisite EBS/AD/TXK levels. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: (1) Identify all systems running Oracle E-Business Suite versions 12.2.3-12.2.15 with iSupplier Portal enabled; (2) Implement firewall rules and network access restrictions to limit remote connectivity to the portal. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Share
External POC / Exploit Code
Leaving vuln.today