Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable HTTP endpoint (AV:N), no special conditions beyond a low-privileged EBS account (AC:L, PR:L), no user interaction, and Oracle states full takeover of iSetup yielding C:H/I:H/A:H within the same authorization scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle iSetup product of Oracle E-Business Suite (component: General Ledger Update Transform, Reports). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iSetup. Successful attacks of this vulnerability can result in takeover of Oracle iSetup. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Account takeover of Oracle iSetup (component of Oracle E-Business Suite 12.2.3 through 12.2.15) is achievable by a low-privileged authenticated attacker reaching the General Ledger Update Transform / Reports component over HTTP. The flaw is rated CVSS 8.8 with full confidentiality, integrity, and availability impact, and no public exploit has been identified at time of analysis. Oracle published the fix in the June 2026 Critical Patch Update.
Technical ContextAI
Oracle iSetup is a configuration migration and reporting utility shipped with Oracle E-Business Suite (EBS) 12.2, used to transform and move setup data (including General Ledger configuration) between EBS instances. The affected component - General Ledger Update Transform and Reports - processes user-supplied data via HTTP endpoints exposed through the EBS application tier (typically Oracle HTTP Server / WebLogic). Because no CWE is assigned by Oracle and the advisory text is intentionally sparse (Oracle's standard CPU practice), the precise weakness class is not disclosed, but the combination of low-privileged HTTP access leading to full takeover is consistent with authorization bypass, injection, or insecure deserialization typical of EBS modules.
RemediationAI
Apply the Oracle June 2026 Critical Patch Update for E-Business Suite as described at https://www.oracle.com/security-alerts/cspujun2026.html (Patch available per vendor advisory; the CPU bundles the iSetup fix for all supported 12.2.x lines). Until the CPU can be deployed, restrict network reachability of the iSetup application URLs to administrative networks only via WebLogic/Oracle HTTP Server URL-firewall rules or an upstream reverse proxy - note this can break legitimate cross-instance setup-migration workflows that iSetup users rely on. Enforce least-privilege EBS responsibilities so general users do not hold the iSetup responsibility (removes the PR:L precondition), audit existing iSetup role assignments, and rotate EBS application passwords that may have been exposed; monitor application-tier access logs for unusual POSTs to General Ledger Update Transform and Reports endpoints.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37252