Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Oracle states HTTP-reachable, easily exploitable by a low-privileged attacker with no user interaction, resulting in full module takeover, so AV:N/AC:L/PR:L/UI:N and C:H/I:H/A:H within unchanged scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Outsourced Mfg for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Outsourced Mfg for Discrete Industries. Successful attacks of this vulnerability can result in takeover of Oracle Outsourced Mfg for Discrete Industries. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Account takeover in Oracle Outsourced Mfg for Discrete Industries (component: Internal Operations) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker to fully compromise the module over HTTP. With CVSS 3.1 base score 8.8 and high impact on confidentiality, integrity, and availability, this is a high-priority patching item, though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.
Technical ContextAI
Oracle E-Business Suite is a large integrated ERP/CRM/SCM platform; the Outsourced Mfg for Discrete Industries module supports contract manufacturing workflows within the Internal Operations component. The affected stack is the EBS 12.2 application tier, which runs on Oracle Application Server / WebLogic with Java/PL-SQL business logic exposed via HTTP servlets and OA Framework pages. No CWE was assigned by Oracle in the advisory, so the precise root cause class (e.g., improper authorization, deserialization, or SQL injection) is not disclosed, but the CVSS vector and 'takeover of the module' impact language are consistent with an authorization or input-handling flaw reachable through an authenticated HTTP request to the module.
RemediationAI
Patch available per vendor advisory: apply the fixes shipped in the Oracle Critical Patch Update June 2026 (CPUJUN2026) for Oracle E-Business Suite 12.2.3-12.2.15 as documented at https://www.oracle.com/security-alerts/cspujun2026.html; exact patch numbers and prerequisite bundle patches should be taken from the Oracle CPU advisory and My Oracle Support notes referenced therein. Until the CPU is applied, restrict network reachability of the EBS application tier so that the Outsourced Mfg for Discrete Industries pages are only accessible from trusted internal networks or via VPN, tighten EBS responsibility/menu assignments so that ordinary functional users do not have access to Internal Operations or Outsourced Manufacturing responsibilities, and enable URL firewall / DMZ allowlisting in EBS to drop unexpected module URLs at the web tier (note this can break legitimate integrations and self-service flows, so test in a clone first). Increase monitoring on FND_LOGINS, FND_UNSUCCESSFUL_LOGINS, and Apache access logs for anomalous requests to OutsourcedMfg / Internal Operations endpoints in the interim.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37283