Skip to main content

Oracle Siebel CRM EUVDEUVD-2026-37241

| CVE-2026-46925 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.3
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.3 HIGH
AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.3 HIGH

Adjacent layer-2 access required (AV:A), high complexity preconditions (AC:H), unauthenticated and no user interaction, with scope change enabling full C/I/A compromise of Siebel and integrated products.

3.1 AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:08 vuln.today

DescriptionCVE.org

Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM (component: Siebel Cloud Manager). Supported versions that are affected are 17.0-26.5. Difficult to exploit vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where the Siebel CRM Cloud Applications executes to compromise Siebel CRM Cloud Applications. While the vulnerability is in Siebel CRM Cloud Applications, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Siebel CRM Cloud Applications. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Adjacent-network takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) is possible via the Siebel Cloud Manager component, where an unauthenticated attacker on the same physical communication segment can fully compromise the application and pivot to other products through a scope change. The flaw carries a CVSS 3.1 base score of 8.3 with full confidentiality, integrity, and availability impact, but high attack complexity. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

The vulnerability resides in the Siebel Cloud Manager subcomponent of Oracle Siebel CRM Cloud Applications, the orchestration layer responsible for provisioning and managing Siebel CRM cloud-hosted instances. The CPE 'cpe:2.3:a:oracle_corporation:siebel_crm_cloud_applications' confirms the affected stack is the SaaS-oriented Siebel CRM platform rather than the on-premises Siebel Server installations. No CWE is assigned, but the CVSS vector (AV:A, S:C) indicates a network-protocol or shared-segment weakness whose exploitation crosses a security boundary, suggesting that the Cloud Manager exposes a service on a layer-2 adjacent interface that, when manipulated, allows control of resources outside its own security scope.

RemediationAI

Patch available per vendor advisory: apply the fixes from the Oracle June 2026 Siebel Cloud Patch Update at https://www.oracle.com/security-alerts/cspujun2026.html, which addresses all supported releases in the 17.0-26.5 range. Because the attack vector is adjacent-network, compensating controls until patching is possible include placing the Siebel Cloud Manager management interfaces on a dedicated, access-controlled VLAN or management network, enforcing layer-2 isolation between tenant workloads and management traffic, and blocking unsolicited traffic from untrusted hosts that share the same broadcast domain - be aware that aggressive segmentation can disrupt Siebel administrative tooling and clustered communications, so changes should be staged.

Share

EUVD-2026-37241 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy