Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
HTTP-reachable EBS web tier (AV:N), Oracle labels easily exploitable (AC:L), requires a low-privileged EBS account (PR:L), no user interaction, and description states full module takeover (C:H/I:H/A:H).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Outsourced Mfg for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Outsourced Mfg for Discrete Industries. Successful attacks of this vulnerability can result in takeover of Oracle Outsourced Mfg for Discrete Industries. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Full takeover of Oracle Outsourced Mfg for Discrete Industries (component: Internal Operations) is achievable by a low-privileged authenticated attacker over HTTP, per Oracle's June 2026 Critical Patch Update advisory. The CVSS 3.1 base score of 8.8 reflects high impact across confidentiality, integrity, and availability with low attack complexity, though no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker needs (1) network HTTP/HTTPS reachability to the Oracle E-Business Suite web tier hosting the Outsourced Mfg for Discrete Industries module, and (2) a valid low-privileged EBS account (PR:L) with access to the Internal Operations component - typical EBS end-user credentials are sufficient, no admin role required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) makes this a high-priority issue: network-reachable, low complexity, requires only a low-privileged EBS account, no user interaction, and yields full takeover of the module. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with any low-privileged Oracle EBS account - for example a contractor or compromised supplier user - sends a crafted HTTP request to the Internal Operations component of the Outsourced Mfg module and takes over the product, gaining the ability to read, modify, and destroy manufacturing and supply-chain data. No user interaction is required, complexity is low, and a single account is sufficient; no public exploit identified at time of analysis, but Oracle explicitly labels it easily exploitable. |
| Remediation | Apply patch available per vendor advisory by installing the fixes bundled in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); exact patch numbers are listed in the CPU's E-Business Suite patch availability matrix and should be applied to all instances on 12.2.3-12.2.15 in line with Oracle's standard adop/ad utility procedures, followed by post-patch validation of the Outsourced Mfg module. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running Oracle E-Business Suite versions 12.2.3-12.2.15, confirm manufacturing module deployment status, and determine scope of low-privileged user access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37282