Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
HTTP-reachable EBS module (AV:N), described as easily exploitable (AC:L), requires a high-privileged EBS account (PR:H), no user interaction, and results in full module takeover (C:H/I:H/A:H).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Public Sector Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Public Sector Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Public Sector Payroll. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Full takeover of Oracle Public Sector Payroll (E-Business Suite 12.2.3-12.2.15) is possible by a high-privileged, network-adjacent attacker exploiting a flaw in the Internal Operations component, with confidentiality, integrity, and availability all fully impacted. Oracle's June 2026 Critical Patch Update describes the issue as easily exploitable over HTTP once privileges are held, and no public exploit identified at time of analysis. CVSS 3.1 base score is 7.2.
Technical ContextAI
The affected technology is Oracle E-Business Suite (EBS), Oracle's flagship on-premises ERP platform, specifically the Public Sector Payroll module within the Internal Operations component. EBS 12.2.x is a multi-tier J2EE/Forms application typically fronted by Oracle HTTP Server and backed by an Oracle Database, where modules expose business logic through HTTP-driven servlets, OAF pages, and PL/SQL APIs. No CWE is supplied by Oracle (consistent with the vendor's standard CPU disclosure practice), but the combination of HTTP attack vector and high-privilege precondition leading to full module takeover is typical of authenticated injection or insecure deserialization/PLSQL-API exposure issues in EBS modules.
RemediationAI
Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html; patch available per vendor advisory, but no single exact patched build number is reproduced in the input, so administrators should consult the CPU patch matrix to identify the correct EBS 12.2 RPC/AD-TXK and Public Sector Payroll patch IDs for their version. Until the CPU is applied, compensating controls include tightly restricting which EBS responsibilities grant Public Sector Payroll Internal Operations privileges, auditing and reducing accounts that already hold those high-privilege roles, putting the EBS internal URLs behind network ACLs so only HR/payroll administrator workstations can reach them (side effect: legitimate remote admins lose direct access and must use a jump host), and enabling EBS auditing/FND audit trail on Internal Operations forms and APIs to detect abuse (side effect: increased audit volume and storage). Do not disable Public Sector Payroll outright unless the module is unused, as that breaks payroll processing.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37285