Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Network-reachable EBS HTTP endpoint (AV:N, AC:L), requires pre-existing high-privileged HR Intelligence account (PR:H), no user interaction, full takeover of the module gives C:H/I:H/A:H within the same scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle HR Intelligence product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle HR Intelligence. Successful attacks of this vulnerability can result in takeover of Oracle HR Intelligence. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Full compromise of Oracle HR Intelligence (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible by an authenticated high-privileged attacker over HTTP. Successful exploitation results in takeover of the HR Intelligence application with confidentiality, integrity, and availability impact (CVSS 3.1 base 7.2). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must possess high-privileged credentials on Oracle E-Business Suite (PR:H) - typically an HR Intelligence administrator or equivalent responsibility - and must be able to reach the EBS HTTP front end of an installation running Oracle E-Business Suite 12.2.3 through 12.2.15 with the HR Intelligence module deployed and the Internal Operations component accessible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H yields 7.2 (High), driven by full CIA impact tempered by the PR:H requirement, meaning the attacker must already hold high privileges in the EBS environment before exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who already holds (or has compromised) an EBS account with high HR Intelligence privileges connects to the EBS HTTP endpoint and issues a crafted request against the Internal Operations component, abusing the unpatched flaw to take over the HR Intelligence module. The result is unauthorized read/write of HR analytics data and disruption of the service. … |
| Remediation | Patch available per vendor advisory: apply the fixes shipped in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) for all Oracle E-Business Suite 12.2.x deployments running HR Intelligence. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Oracle E-Business Suite instances in versions 12.2.3-12.2.15 and immediately restrict network access to the HR Intelligence component to defined administrative users only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Oracle Hr Intelligence
View allFull compromise of Oracle HR Intelligence (a module of Oracle E-Business Suite) is possible for an authenticated low-pri
Full compromise of Oracle HR Intelligence (component: Internal Operations) in Oracle E-Business Suite 12.2.3 through 12.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37280