Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable OAM endpoint, low complexity, requires any low-privileged EBS account (PR:L), no user interaction, and the vendor-confirmed scope change yields full C/I/A impact on adjacent components.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Manager. While the vulnerability is in Oracle Applications Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Applications Manager. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Privilege escalation and full takeover of Oracle Applications Manager (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker over HTTP to fully compromise the management product and, because of the scope change, significantly impact additional integrated products. Oracle rates the issue CVSS 9.9 with confidentiality, integrity, and availability impacts; no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must hold valid credentials for any low-privileged Oracle E-Business Suite 12.2 account (PR:L) and must be able to reach the Oracle Applications Manager web interface over HTTP, which is exposed by the EBS middle tier on installations of versions 12.2.3 through 12.2.15 with the Internal Operations component deployed (the default for supported EBS 12.2). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed in priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker phishes or otherwise obtains the credentials of any low-privileged EBS user, or uses an existing functional account, logs in to the Applications Manager URL over HTTP/HTTPS from the corporate network, and sends a crafted request to the Internal Operations component. The request escapes OAM's authorization boundary (scope change), giving the attacker administrative control of Oracle Applications Manager and the ability to manipulate, read, or disrupt connected EBS components such as concurrent managers and middle-tier services. … |
| Remediation | Patch available per vendor advisory: apply the fixes delivered in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) for every EBS 12.2 instance between 12.2.3 and 12.2.15, following Oracle's CPU patching guidance and prerequisite bundle requirements. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and document all systems running Oracle E-Business Suite versions 12.2.3 through 12.2.15, including their network exposure and role in business processes. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37249