Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SOAP endpoint is network-reachable (AV:N) with no auth or user interaction (PR:N/UI:N); Oracle's AC:H reflects non-trivial conditions; description states full takeover (C:H/I:H/A:H).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Receivables product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SOAP to compromise Oracle Receivables. Successful attacks of this vulnerability can result in takeover of Oracle Receivables. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle Receivables in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible by unauthenticated attackers reaching the SOAP interface of the Internal Operations component. Oracle's CVSS 3.1 score of 8.1 reflects full confidentiality, integrity, and availability impact, though high attack complexity (AC:H) tempers the practical risk. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be able to reach the Oracle E-Business Suite SOAP web service endpoint exposed by the Internal Operations component of Oracle Receivables on a running EBS 12.2.3-12.2.15 instance - in practice this means network access to the EBS web/application tier (often via the Integrated SOA Gateway). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals point in different directions and should be weighed together. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reach to the EBS web tier (internal LAN, VPN, or an internet-exposed SOA Gateway) sends a specially crafted SOAP request to a Receivables Internal Operations endpoint without authenticating. By satisfying the specific conditions required by the flaw (reflected in AC:H), the request results in full compromise of the Receivables module, exposing customer financial data, allowing tampering with invoices and balances, and enabling denial of service. … |
| Remediation | Apply the patches in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html), which is the authoritative fix referenced by the advisory; the input does not provide an exact patch-set bundle number, so consult that CPU matrix for the precise Oracle Receivables 12.2.x patch that corresponds to your installed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Oracle E-Business Suite instances running versions 12.2.3-12.2.15 and assess network exposure to the SOAP interface. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37243