Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
HTTP-reachable EBS app tier gives AV:N/UI:N; Oracle's 'difficult to exploit' wording supports AC:H; a low-privileged EBS account is required (PR:L); takeover of SLA yields C:H/I:H/A:H within the same scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Subledger Accounting product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Subledger Accounting. Successful attacks of this vulnerability can result in takeover of Oracle Subledger Accounting. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Takeover of Oracle Subledger Accounting (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible by a low-privileged remote attacker leveraging HTTP. The flaw yields full confidentiality, integrity, and availability impact (CVSS 7.5) but is rated high attack complexity, so reliable exploitation is non-trivial. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must hold valid low-privileged credentials on a target Oracle E-Business Suite 12.2.3-12.2.15 deployment (PR:L) and must be able to reach the EBS application tier over HTTP (AV:N); no user interaction is required (UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H produces a 7.5 base score: network-reachable, no user interaction, but high attack complexity and requiring a low-privileged EBS account, with full CIA impact ('takeover' of SLA). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A contractor or low-privilege business user with a valid Oracle EBS account reaches the application tier over HTTP and issues a crafted request that exercises an Internal Operations code path in Subledger Accounting; after working around the high-complexity conditions (e.g., timing, state, or a specific configuration), the attacker gains full control of the SLA component and can read, alter, or destroy accounting rule data and generated journals. No public exploit identified at time of analysis, so any real-world abuse would currently require independent reverse engineering of the Oracle patch. |
| Remediation | Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html; patch availability is confirmed via the Oracle CPU reference but no exact CPU patch number or post-patch version string is provided in the input data, so the precise fix identifier should be taken from the CPU bulletin itself. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Oracle E-Business Suite deployments; identify systems running versions 12.2.3 through 12.2.15 and assess Subledger Accounting module scope. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Oracle Subledger Accounting
View allSame weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37269