Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Network-reachable HTTP endpoint (AV:N) with no special conditions (AC:L), requires a high-privileged EBS/iSupport account (PR:H), no user interaction, and impact crosses into other EBS modules (S:C) with full CIA loss.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Takeover of Oracle iSupport in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged attacker over HTTP, with scope-changed impact extending to additional EBS components. The CVSS 3.1 base score of 9.1 reflects full confidentiality, integrity, and availability loss beyond the vulnerable component itself. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
Oracle iSupport is a self-service customer support module within the Oracle E-Business Suite (EBS) 12.2 application stack, deployed via the Oracle Application Server / WebLogic tier and backed by the EBS database schema. The affected component is 'Internal Operations,' which handles administrative/back-office workflows exposed over HTTP through the EBS framework. No CWE has been assigned by Oracle; the advisory only indicates a scope-changing flaw reachable over the network that yields component takeover, consistent with weaknesses in EBS administrative endpoints (authorization or injection-class issues) that have historically plagued the 12.2.x line.
RemediationAI
Apply the Oracle Critical Patch Update for June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html - Patch available per vendor advisory; Oracle has not published a discrete fixed micro-version in the supplied intelligence, so use the CPU patch matrix for your exact 12.2.x release. Until the CPU is applied, restrict network reachability of the iSupport Internal Operations URLs to trusted administrative networks only (firewall/reverse-proxy URL filtering on the EBS web tier), aggressively reduce the number of accounts holding iSupport administrative responsibilities, rotate credentials of any privileged iSupport users, and increase auditing on iSupport admin activity in the EBS FND audit tables; note that URL-level filtering can break legitimate internal admin workflows and that role reduction may temporarily impact support operations.
More in Oracle Isupport
View allPrivileged remote takeover of Oracle iSupport (Oracle E-Business Suite, Internal Operations component) affects versions
Full takeover of Oracle iSupport (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37259