Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Network-reachable EBS HTTP endpoint with low complexity, but exploitation requires a high-privileged Cost Management responsibility (PR:H), no user interaction, unchanged scope, full CIA takeover of the module.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in takeover of Oracle Cost Management. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Full compromise of Oracle Cost Management (component: Cost Planning) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged attacker over HTTP, resulting in takeover of the module with high confidentiality, integrity, and availability impact. Oracle's Critical Patch Update for June 2026 (cspujun2026) classifies this as easily exploitable once the privilege prerequisite is met. No public exploit identified at time of analysis and no CISA KEV listing observed.
Technical ContextAI
The flaw resides in the Cost Planning component of Oracle Cost Management, a financial module within Oracle E-Business Suite (CPE cpe:2.3:a:oracle_corporation:oracle_cost_management) that calculates standard and actual costs across manufacturing and inventory flows. EBS exposes these modules over the Oracle Application Framework via HTTP servlets fronted by Oracle HTTP Server, so a privileged session within the EBS console can reach the affected handler. No CWE was assigned in the input, but the 'takeover of Oracle Cost Management' wording combined with C:H/I:H/A:H and PR:H is consistent with a missing authorization or unsafe deserialization/injection sink reachable from a privileged business role rather than a memory-corruption bug.
RemediationAI
Apply the patch available per vendor advisory in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); exact post-patch version numbers are published in the CPU matrix and should be applied to all EBS 12.2.3-12.2.15 installations. As compensating controls until the CPU can be rolled out, restrict assignment of Cost Management and Cost Planning responsibilities to the minimum set of users, review and prune existing high-privileged role grants in EBS, place the EBS application tier behind a network filter that only permits trusted internal sources (trade-off: blocks remote business users), and increase audit logging on Cost Planning forms and concurrent programs to detect abuse - trade-off being added log volume and potential noise for SOC review.
More in Oracle Cost Management
View allRemote takeover of Oracle Cost Management (component: Cost Planning) within Oracle E-Business Suite versions 12.2.3 thro
Account takeover in Oracle Cost Management (E-Business Suite, versions 12.2.3 through 12.2.15) allows a low-privileged r
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37253