Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Network HTTP reach (AV:N), straightforward once authorized (AC:L), requires existing high privilege in iSupport (PR:H), no user interaction, and scope change with full CIA impact on adjacent EBS components.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Privileged remote takeover of Oracle iSupport (Oracle E-Business Suite, Internal Operations component) affects versions 12.2.3 through 12.2.15, where an authenticated high-privilege attacker with HTTP access can fully compromise the application with scope change into adjacent E-Business Suite components. The CVSS 9.1 score reflects the cross-component blast radius rather than ease of access, since PR:H means the attacker must already hold elevated privileges. No public exploit identified at time of analysis and the issue is not listed on CISA KEV.
Technical ContextAI
Oracle iSupport is the customer self-service module within Oracle E-Business Suite (EBS) 12.2.x, providing web-based ticketing, knowledge base, and account management functions that integrate tightly with other EBS modules (Order Management, TCA, Financials). The affected 'Internal Operations' component handles back-office administrative flows that are normally restricted to privileged operators. Although Oracle did not publish a CWE, the CVSS profile (PR:H, S:C, full CIA at High) is characteristic of an authorization or trust-boundary defect in a privileged EBS servlet that allows a privileged user of iSupport to act on data and operations belonging to neighbouring EBS components - a classic scope-changing privilege/trust-boundary flaw within the shared EBS technology stack (Oracle HTTP Server, WebLogic, Forms, and the APPS schema).
RemediationAI
Apply Patch available per vendor advisory by installing the June 2026 Oracle Critical Patch Update fixes for E-Business Suite iSupport as published at https://www.oracle.com/security-alerts/cspujun2026.html, prioritizing the patch corresponding to your exact 12.2.x release level. Until the CPU can be applied, reduce real-world risk by tightening which accounts hold privileged iSupport responsibilities (the PR:H prerequisite is the main gating factor) and by restricting network reachability of the iSupport servlets to trusted networks via Oracle HTTP Server URL firewall (FND: URL Firewall) rules - note that aggressive URL-firewall entries can break legitimate internal-operations flows and should be tested in a clone first. Also rotate and audit any shared/service privileged accounts and enable Oracle EBS auditing on the Internal Operations responsibilities so abuse is detectable; these are mitigations, not fixes, and do not substitute for the CPU patch.
More in Oracle Isupport
View allTakeover of Oracle iSupport in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated
Full takeover of Oracle iSupport (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37258