Skip to main content

Oracle ECC Framework EUVDEUVD-2026-37219

| CVE-2026-46900 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

HTTPS-reachable ECC endpoint (AV:N), no special conditions (AC:L), any EBS user credential suffices (PR:L), no interaction (UI:N), and takeover plus impact on other EBS modules justifies S:C with full C/I/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:20 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privileged takeover of Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows a low-privileged remote attacker over HTTPS to fully compromise the product and pivot into other E-Business Suite components via a CVSS scope change. Oracle has issued a fix in its June 2026 Critical Patch Update; no public exploit identified at time of analysis and EPSS/KEV signals were not provided.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege EBS account
Delivery
Reach ECC HTTPS endpoint
Exploit
Send crafted ECC request
Execution
Take over ECC Framework
Persist
Pivot via scope change to EBS modules
Impact
Exfiltrate or tamper with financial/HR data

Vulnerability AssessmentAI

Exploitation Attacker must (1) reach the Oracle ECC Framework HTTPS endpoint on an EBS deployment running ECC V15 or V16, and (2) hold valid credentials for any low-privileged EBS account (PR:L) - no admin role, no MFA bypass, and no user interaction (UI:N) is required, and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine priority despite the low-privilege requirement. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained any low-privilege EBS account - for example a self-service employee login harvested via phishing or reused credentials - connects to the ECC Framework over HTTPS and issues a crafted request to a vulnerable ECC endpoint, gaining full control of the ECC service and, through the CVSS scope change, the ability to read or tamper with data in connected EBS modules such as Financials or HCM. No public exploit identified at time of analysis, but Oracle CPU patches are routinely diffed by researchers, so a working exploit is plausible within weeks.
Remediation Apply Oracle's June 2026 Critical Patch Update for Oracle E-Business Suite as documented at https://www.oracle.com/security-alerts/cspujun2026.html, installing the ECC Framework patches that supersede V15 and V16 on every EBS environment (production, DR, test) - exact fix-level identifiers are enumerated in the CPU advisory and should be cited from the patch table rather than guessed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Oracle EBS deployments with CCF V15 or V16; restrict access from low-privileged accounts where operationally feasible; enable detailed activity logging. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37219 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy