Skip to main content

Oracle iSetup EUVDEUVD-2026-37252

| CVE-2026-46937 HIGH
Improper Privilege Management (CWE-269)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable HTTP endpoint (AV:N), no special conditions beyond a low-privileged EBS account (AC:L, PR:L), no user interaction, and Oracle states full takeover of iSetup yielding C:H/I:H/A:H within the same authorization scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:02 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle iSetup product of Oracle E-Business Suite (component: General Ledger Update Transform, Reports). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iSetup. Successful attacks of this vulnerability can result in takeover of Oracle iSetup. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover of Oracle iSetup (component of Oracle E-Business Suite 12.2.3 through 12.2.15) is achievable by a low-privileged authenticated attacker reaching the General Ledger Update Transform / Reports component over HTTP. The flaw is rated CVSS 8.8 with full confidentiality, integrity, and availability impact, and no public exploit has been identified at time of analysis. Oracle published the fix in the June 2026 Critical Patch Update.

Technical ContextAI

Oracle iSetup is a configuration migration and reporting utility shipped with Oracle E-Business Suite (EBS) 12.2, used to transform and move setup data (including General Ledger configuration) between EBS instances. The affected component - General Ledger Update Transform and Reports - processes user-supplied data via HTTP endpoints exposed through the EBS application tier (typically Oracle HTTP Server / WebLogic). Because no CWE is assigned by Oracle and the advisory text is intentionally sparse (Oracle's standard CPU practice), the precise weakness class is not disclosed, but the combination of low-privileged HTTP access leading to full takeover is consistent with authorization bypass, injection, or insecure deserialization typical of EBS modules.

RemediationAI

Apply the Oracle June 2026 Critical Patch Update for E-Business Suite as described at https://www.oracle.com/security-alerts/cspujun2026.html (Patch available per vendor advisory; the CPU bundles the iSetup fix for all supported 12.2.x lines). Until the CPU can be deployed, restrict network reachability of the iSetup application URLs to administrative networks only via WebLogic/Oracle HTTP Server URL-firewall rules or an upstream reverse proxy - note this can break legitimate cross-instance setup-migration workflows that iSetup users rely on. Enforce least-privilege EBS responsibilities so general users do not hold the iSetup responsibility (removes the PR:L precondition), audit existing iSetup role assignments, and rotate EBS application passwords that may have been exposed; monitor application-tier access logs for unusual POSTs to General Ledger Update Transform and Reports endpoints.

Share

EUVD-2026-37252 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy