Severity by source
AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Adjacent layer-2 access required (AV:A), high complexity preconditions (AC:H), unauthenticated and no user interaction, with scope change enabling full C/I/A compromise of Siebel and integrated products.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM (component: Siebel Cloud Manager). Supported versions that are affected are 17.0-26.5. Difficult to exploit vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where the Siebel CRM Cloud Applications executes to compromise Siebel CRM Cloud Applications. While the vulnerability is in Siebel CRM Cloud Applications, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Siebel CRM Cloud Applications. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Adjacent-network takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) is possible via the Siebel Cloud Manager component, where an unauthenticated attacker on the same physical communication segment can fully compromise the application and pivot to other products through a scope change. The flaw carries a CVSS 3.1 base score of 8.3 with full confidentiality, integrity, and availability impact, but high attack complexity. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
The vulnerability resides in the Siebel Cloud Manager subcomponent of Oracle Siebel CRM Cloud Applications, the orchestration layer responsible for provisioning and managing Siebel CRM cloud-hosted instances. The CPE 'cpe:2.3:a:oracle_corporation:siebel_crm_cloud_applications' confirms the affected stack is the SaaS-oriented Siebel CRM platform rather than the on-premises Siebel Server installations. No CWE is assigned, but the CVSS vector (AV:A, S:C) indicates a network-protocol or shared-segment weakness whose exploitation crosses a security boundary, suggesting that the Cloud Manager exposes a service on a layer-2 adjacent interface that, when manipulated, allows control of resources outside its own security scope.
RemediationAI
Patch available per vendor advisory: apply the fixes from the Oracle June 2026 Siebel Cloud Patch Update at https://www.oracle.com/security-alerts/cspujun2026.html, which addresses all supported releases in the 17.0-26.5 range. Because the attack vector is adjacent-network, compensating controls until patching is possible include placing the Siebel Cloud Manager management interfaces on a dedicated, access-controlled VLAN or management network, enforcing layer-2 isolation between tenant workloads and management traffic, and blocking unsolicited traffic from untrusted hosts that share the same broadcast domain - be aware that aggressive segmentation can disrupt Siebel administrative tooling and clustered communications, so changes should be staged.
Remote takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) allows unauthenticated network atta
Account takeover in Oracle Siebel CRM Cloud Applications versions 17.0 through 26.5 allows a low-privileged remote attac
Privilege escalation and full takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) is possible
Full takeover of Oracle Siebel CRM Cloud Applications (versions 17.0-26.5) is possible by unauthenticated remote attacke
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37241