Skip to main content

Oracle Advanced Outbound Telephony EUVDEUVD-2026-37260

| CVE-2026-46947 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network HTTP reachable (AV:N), low complexity per Oracle (AC:L), requires an authenticated low-privileged EBS user (PR:L), no user interaction, and yields full takeover of the module (C/I/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:57 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Advanced Outbound Telephony product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks of this vulnerability can result in takeover of Oracle Advanced Outbound Telephony. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle Advanced Outbound Telephony (E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the component over HTTP. The Internal Operations component is exposed to authenticated users with network reach, and successful exploitation yields high impact across confidentiality, integrity, and availability. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged EBS credentials
Delivery
Reach EBS application tier over HTTP
Exploit
Send crafted request to Internal Operations endpoint
Execution
Exploit Advanced Outbound Telephony flaw
Persist
Take over Telephony module
Impact
Read and tamper with outbound campaign data

Vulnerability AssessmentAI

Exploitation Requires (1) network HTTP reach to the Oracle E-Business Suite application tier where the Advanced Outbound Telephony module is deployed, and (2) a valid low-privileged EBS user session (PR:L per the vendor-supplied CVSS vector) - no user interaction and no admin privileges are needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 8.8 reflects a high-severity, easily exploitable issue: network-reachable over HTTP, low complexity, and only low privileges required for full CIA compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained any low-privileged Oracle EBS account - for example through phishing of a call-center user or reuse of leaked credentials - sends a crafted HTTP request to an Advanced Outbound Telephony endpoint in the Internal Operations component and takes over the module, gaining the ability to read, modify, and disrupt outbound campaign data and dialing operations. No public exploit identified at time of analysis, but the low attack complexity and Oracle's 'easily exploitable' wording suggest a PoC would be straightforward once the patch is reverse-engineered.
Remediation Apply the patch available per vendor advisory in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html), covering the full 12.2.3-12.2.15 range; no exact post-patch build string was published in the available input, so reference the CPU document for the specific bundle patch number for your release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running Oracle E-Business Suite versions 12.2.3 through 12.2.15; audit network access to the Internal Operations component and restrict via firewall to authorized personnel only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37260 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy