Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network HTTP reachable (AV:N), low complexity per Oracle (AC:L), requires an authenticated low-privileged EBS user (PR:L), no user interaction, and yields full takeover of the module (C/I/A:H).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Advanced Outbound Telephony product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks of this vulnerability can result in takeover of Oracle Advanced Outbound Telephony. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Account takeover in Oracle Advanced Outbound Telephony (E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the component over HTTP. The Internal Operations component is exposed to authenticated users with network reach, and successful exploitation yields high impact across confidentiality, integrity, and availability. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) network HTTP reach to the Oracle E-Business Suite application tier where the Advanced Outbound Telephony module is deployed, and (2) a valid low-privileged EBS user session (PR:L per the vendor-supplied CVSS vector) - no user interaction and no admin privileges are needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 8.8 reflects a high-severity, easily exploitable issue: network-reachable over HTTP, low complexity, and only low privileges required for full CIA compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained any low-privileged Oracle EBS account - for example through phishing of a call-center user or reuse of leaked credentials - sends a crafted HTTP request to an Advanced Outbound Telephony endpoint in the Internal Operations component and takes over the module, gaining the ability to read, modify, and disrupt outbound campaign data and dialing operations. No public exploit identified at time of analysis, but the low attack complexity and Oracle's 'easily exploitable' wording suggest a PoC would be straightforward once the patch is reverse-engineered. |
| Remediation | Apply the patch available per vendor advisory in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html), covering the full 12.2.3-12.2.15 range; no exact post-patch build string was published in the available input, so reference the CPU document for the specific bundle patch number for your release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running Oracle E-Business Suite versions 12.2.3 through 12.2.15; audit network access to the Internal Operations component and restrict via firewall to authorized personnel only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote unauthenticated compromise of Oracle Advanced Outbound Telephony (Oracle E-Business Suite, Internal Operations co
Account takeover in Oracle Advanced Outbound Telephony (E-Business Suite component, versions 12.2.3 through 12.2.15) all
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37260