Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
HTTP-reachable EBS module (AV:N), needs valid low-priv EBS account (PR:L), Oracle states exploitation is difficult (AC:H), no UI, full module takeover gives C/I/A:H within same scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle HR Intelligence product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle HR Intelligence. Successful attacks of this vulnerability can result in takeover of Oracle HR Intelligence. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Full compromise of Oracle HR Intelligence (a module of Oracle E-Business Suite) is possible for an authenticated low-privileged attacker who can reach the Internal Operations component over HTTP, per Oracle's June 2026 Critical Patch Update. The flaw affects EBS versions 12.2.3 through 12.2.15 and yields high impact across confidentiality, integrity, and availability, though Oracle rates exploitation as difficult (AC:H). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must have network reachability to the Oracle E-Business Suite HTTP tier and a valid low-privileged EBS account (PR:L) on an installation running HR Intelligence on EBS 12.2.3 through 12.2.15 with the Internal Operations component enabled; no user interaction is required (UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 7.5 is driven by full C/I/A impact (H/H/H) and network reach (AV:N), but is tempered by AC:H and PR:L, meaning the attacker must already hold a low-privilege EBS account and overcome non-trivial exploitation conditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has phished or otherwise obtained a low-privilege Oracle EBS account (for example, an employee self-service login) sends crafted HTTP requests to the HR Intelligence Internal Operations endpoints exposed by the EBS application server. By chaining the difficult-to-trigger flaw, the attacker escalates within the HR Intelligence module and exfiltrates or tampers with sensitive employee records and HR analytics. … |
| Remediation | Apply the Oracle E-Business Suite patches bundled in the June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); Oracle ships HR Intelligence fixes as part of the standard EBS 12.2 patchset for versions 12.2.3 through 12.2.15, and Patch available per vendor advisory with no separate fix version number disclosed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all Oracle EBS 12.2.3-12.2.15 deployments and document systems with HR Intelligence enabled; immediately restrict network access to the Internal Operations component to authorized IP ranges only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Oracle Hr Intelligence
View allFull compromise of Oracle HR Intelligence (component: Internal Operations) in Oracle E-Business Suite 12.2.3 through 12.
Full compromise of Oracle HR Intelligence (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 th
Same weakness CWE-284 – Improper Access Control
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37281