Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable EBS HTTP endpoint (AV:N), low complexity (AC:L), requires any authenticated EBS user (PR:L), no user interaction, and Oracle states full product takeover yielding C:H/I:H/A:H within the same security authority (S:U).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Advanced Outbound Telephony product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks of this vulnerability can result in takeover of Oracle Advanced Outbound Telephony. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Account takeover in Oracle Advanced Outbound Telephony (E-Business Suite component, versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker with HTTP access to fully compromise the product's confidentiality, integrity, and availability. Oracle has published a fix in the June 2026 Critical Patch Update, and the CVSS 3.1 base score of 8.8 reflects an easily exploitable network-borne flaw, though no public exploit identified at time of analysis and EPSS data was not provided.
Technical ContextAI
Oracle Advanced Outbound Telephony is the predictive/preview dialer module of the Oracle E-Business Suite (EBS) Interaction Center family, built on top of the Oracle Application Server (Oracle HTTP Server + Forms/JSP/PL-SQL) stack and exposed through the EBS web tier. The 'Internal Operations' component handles back-end dialer administration and runtime control interactions, which are reachable over HTTP for authenticated EBS users. No CWE was assigned by the reporter, but the combination of low-privilege HTTP access leading to full product takeover is consistent with the broken-access-control / missing-authorization class of issues that have historically affected EBS Interaction Center modules.
RemediationAI
Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html), which is the patch available per vendor advisory for EBS 12.2.3 through 12.2.15; exact post-patch version strings are tracked in the CPU readme and should be matched against your current EBS 12.2 RUP level. If the CPU cannot be applied immediately, reduce exposure by restricting HTTP access to the Advanced Outbound Telephony URLs at the EBS web tier (Oracle HTTP Server mod_rewrite / URL firewall rules) to only the trusted internal dialer operators, and consider temporarily disabling the Advanced Outbound Telephony responsibility for non-essential users - be aware that URL filtering can break legitimate dialer agent workflows and disabling responsibilities will stop outbound campaign operations until restored. Also rotate credentials and review audit logs for any low-privileged EBS accounts after patching, since PR:L exploitation is plausible from any compromised self-service account.
Remote unauthenticated compromise of Oracle Advanced Outbound Telephony (Oracle E-Business Suite, Internal Operations co
Account takeover in Oracle Advanced Outbound Telephony (E-Business Suite versions 12.2.3 through 12.2.15) allows a low-p
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37262