Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vendor describes easy unauthenticated HTTPS exploitation yielding full takeover, so AV:N/AC:L/PR:N/UI:N with C:H/I:H/A:H on an unchanged scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Enterprise Command Center Framework. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote unauthenticated takeover of Oracle Enterprise Command Center Framework (versions V15 and V16), a component of Oracle E-Business Suite, is possible over HTTPS with low attack complexity. The flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8) on the Core component and is addressed in Oracle's June 2026 Critical Patch Update. No public exploit identified at time of analysis, but the trivial exploitability profile makes this a high-priority patching target.
Technical ContextAI
Oracle Enterprise Command Center Framework (ECC) is an analytics and visualization layer bundled with Oracle E-Business Suite that lets users explore operational data through faceted search dashboards built on top of EBS data sources. The affected 'Core' subcomponent handles framework-level request processing, and the CPE identifier oracle_enterprise_command_center_framework covers all installed releases of V15 and V16. Oracle did not assign a public CWE, but the combination of unauthenticated network reach plus full CIA impact is consistent with the deserialization, authentication-bypass, or injection classes that have historically plagued the EBS technology stack.
RemediationAI
Apply the patch shipped in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html), which is the vendor-released fix referenced for V15 and V16 - exact post-patch build numbers are enumerated in the CPU matrix rather than this CVE record. Until the CPU can be applied, restrict HTTPS reachability of the ECC endpoints to trusted internal networks via WAF or network ACLs and require VPN access for any external operators, accepting that this will break any partner or remote-user workflows that legitimately consume ECC dashboards; also raise monitoring on ECC servlet paths for anomalous unauthenticated POST traffic.
Privileged takeover of Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) a
Privilege escalation and full takeover of Oracle Enterprise Command Center Framework (versions V15 and V16) is achievabl
Scope-changing compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Su
Privileged data manipulation and disclosure in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privi
Cross-component compromise in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote atta
Privileged takeover of Oracle Enterprise Command Center Framework (ECC) versions V15 and V16, a component of Oracle E-Bu
High-impact confidentiality and integrity compromise in Oracle Enterprise Command Center Framework V15 and V16 (a compon
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37221