Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Oracle states HTTP network access (AV:N), low-privileged authenticated attacker (PR:L), difficult to exploit (AC:H), no user interaction, and full takeover of SLA module (C:H/I:H/A:H, S:U).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Subledger Accounting product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Subledger Accounting. Successful attacks of this vulnerability can result in takeover of Oracle Subledger Accounting. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Takeover of Oracle Subledger Accounting (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows an authenticated low-privileged attacker with HTTP network access to fully compromise confidentiality, integrity, and availability of the module. Although the CVSS 3.1 base score is 7.5 with high impact across all three pillars, the AC:H rating signals non-trivial exploitation requirements, and there is no public exploit identified at time of analysis.
Technical ContextAI
Oracle Subledger Accounting (SLA) is a rule-based accounting engine within the Oracle E-Business Suite (EBS) 12.2 financial management stack that centralizes journal entry creation for subsidiary ledgers such as Payables, Receivables, and Assets. The vulnerable component is identified as 'Internal Operations,' which typically encompasses backend processing routines exposed through the EBS Oracle Application Server / Forms / OA Framework HTTP tier. No CWE classification was assigned by the reporter (Oracle), so the precise root cause class (e.g., injection, deserialization, authorization bypass) cannot be determined from the available data. The affected CPE is cpe:2.3:a:oracle_corporation:oracle_subledger_accounting, covering EBS 12.2.3 through 12.2.15.
RemediationAI
Apply the patches delivered in Oracle's June 2026 Critical Patch Update referenced at https://www.oracle.com/security-alerts/cspujun2026.html (Patch available per vendor advisory; no exact post-patch version number is published in the available data - consult the CPU's patch matrix for the specific EBS 12.2 RUP/one-off patch ID applicable to your release). Until patching, compensating controls include restricting HTTP access to the Subledger Accounting / Internal Operations endpoints to trusted networks via reverse-proxy ACLs or WAF rules (trade-off: may block legitimate finance integrations), tightening responsibility/menu assignments so the minimum set of EBS users hold privileges that map to Subledger Accounting functions (trade-off: requires role re-mapping and user retesting), and enabling/reviewing FND audit and database auditing on SLA-related schemas to detect anomalous activity (trade-off: increased log volume). Do not expose the EBS HTTP tier directly to the internet.
More in Oracle Subledger Accounting
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37270