Skip to main content

Oracle iSupport EUVDEUVD-2026-37258

| CVE-2026-46945 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

Network HTTP reach (AV:N), straightforward once authorized (AC:L), requires existing high privilege in iSupport (PR:H), no user interaction, and scope change with full CIA impact on adjacent EBS components.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:59 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privileged remote takeover of Oracle iSupport (Oracle E-Business Suite, Internal Operations component) affects versions 12.2.3 through 12.2.15, where an authenticated high-privilege attacker with HTTP access can fully compromise the application with scope change into adjacent E-Business Suite components. The CVSS 9.1 score reflects the cross-component blast radius rather than ease of access, since PR:H means the attacker must already hold elevated privileges. No public exploit identified at time of analysis and the issue is not listed on CISA KEV.

Technical ContextAI

Oracle iSupport is the customer self-service module within Oracle E-Business Suite (EBS) 12.2.x, providing web-based ticketing, knowledge base, and account management functions that integrate tightly with other EBS modules (Order Management, TCA, Financials). The affected 'Internal Operations' component handles back-office administrative flows that are normally restricted to privileged operators. Although Oracle did not publish a CWE, the CVSS profile (PR:H, S:C, full CIA at High) is characteristic of an authorization or trust-boundary defect in a privileged EBS servlet that allows a privileged user of iSupport to act on data and operations belonging to neighbouring EBS components - a classic scope-changing privilege/trust-boundary flaw within the shared EBS technology stack (Oracle HTTP Server, WebLogic, Forms, and the APPS schema).

RemediationAI

Apply Patch available per vendor advisory by installing the June 2026 Oracle Critical Patch Update fixes for E-Business Suite iSupport as published at https://www.oracle.com/security-alerts/cspujun2026.html, prioritizing the patch corresponding to your exact 12.2.x release level. Until the CPU can be applied, reduce real-world risk by tightening which accounts hold privileged iSupport responsibilities (the PR:H prerequisite is the main gating factor) and by restricting network reachability of the iSupport servlets to trusted networks via Oracle HTTP Server URL firewall (FND: URL Firewall) rules - note that aggressive URL-firewall entries can break legitimate internal-operations flows and should be tested in a clone first. Also rotate and audit any shared/service privileged accounts and enable Oracle EBS auditing on the Internal Operations responsibilities so abuse is detectable; these are mitigations, not fixes, and do not substitute for the CPU patch.

Share

EUVD-2026-37258 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy