Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
HTTP-reachable EBS module (AV:N, AC:L), but requires an existing high-privilege HRMS/UK Payroll account (PR:H); no user interaction; full takeover yields C/I/A:H within the same scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle HRMS (UK) product of Oracle E-Business Suite (component: UK Payroll). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle HRMS (UK). Successful attacks of this vulnerability can result in takeover of Oracle HRMS (UK). CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Full takeover of Oracle HRMS (UK) - the UK Payroll component of Oracle E-Business Suite versions 12.2.3 through 12.2.15 - is possible by an already-authenticated, highly privileged attacker over HTTP, leading to complete loss of confidentiality, integrity, and availability of the HRMS application. Oracle classifies the issue as easily exploitable but the PR:H requirement narrows the realistic attacker pool to insiders and compromised admin accounts. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
Oracle E-Business Suite (EBS) is Oracle's on-premises ERP platform; the HRMS (UK) module within it provides UK-specific human resources and payroll functions and is typically deployed as part of the Oracle Applications stack fronted by Oracle HTTP Server / WebLogic. The affected CPE cpe:2.3:a:oracle_corporation:oracle_hrms_(uk):*:* covers all 12.2.x point releases from 12.2.3 to 12.2.15, indicating a long-standing defect in the UK Payroll component reachable over HTTP. No CWE was assigned by the reporter, so the precise root-cause class (authorization bypass, SQL injection, deserialization, etc.) cannot be determined from the public advisory alone; Oracle's Critical Patch Update advisories deliberately withhold technical detail.
RemediationAI
Apply patch available per vendor advisory - install the fixes shipped in the Oracle Critical Patch Update June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) for all EBS 12.2.x instances in the 12.2.3-12.2.15 range; Oracle does not publish individual fix version numbers per CVE in CPU advisories, so consult the CPU patch matrix for the exact one-off or RPC patch number for your 12.2.x level. Until patching, reduce blast radius by tightening assignment of EBS responsibilities that grant UK Payroll / HRMS administrative access, enforcing MFA on all EBS admin accounts, restricting network access to the HRMS URLs via the Oracle E-Business Suite URL firewall / DMZ configuration (trade-off: may break legitimate self-service access if rules are too broad), and increasing audit-log review on UK Payroll transactions to detect abuse by privileged users (trade-off: detective rather than preventive).
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37265