Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
HTTP-reachable EBS web tier (AV:N), Oracle labels easily exploitable (AC:L), requires a low-privileged EBS account (PR:L), no user interaction, and description states full module takeover (C:H/I:H/A:H).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Outsourced Mfg for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Outsourced Mfg for Discrete Industries. Successful attacks of this vulnerability can result in takeover of Oracle Outsourced Mfg for Discrete Industries. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Full takeover of Oracle Outsourced Mfg for Discrete Industries (component: Internal Operations) is achievable by a low-privileged authenticated attacker over HTTP, per Oracle's June 2026 Critical Patch Update advisory. The CVSS 3.1 base score of 8.8 reflects high impact across confidentiality, integrity, and availability with low attack complexity, though no public exploit identified at time of analysis. Affected versions span 12.2.3 through 12.2.15 of Oracle E-Business Suite.
Technical ContextAI
Oracle E-Business Suite (EBS) is Oracle's flagship enterprise resource planning (ERP) platform, with the Outsourced Mfg for Discrete Industries module supporting manufacturers who delegate production to third parties. The vulnerable Internal Operations component is reached over HTTP, indicating exposure through the EBS web-tier (typically the Oracle HTTP Server fronting OAF/Forms servlets). No CWE was assigned by Oracle (their CPU advisories routinely omit CWE classification), but the combination of low privileges, network HTTP vector, and full C/I/A compromise is consistent with an authenticated injection, deserialization, or access-control bypass in an EBS servlet or PL/SQL gateway endpoint.
RemediationAI
Apply patch available per vendor advisory by installing the fixes bundled in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); exact patch numbers are listed in the CPU's E-Business Suite patch availability matrix and should be applied to all instances on 12.2.3-12.2.15 in line with Oracle's standard adop/ad utility procedures, followed by post-patch validation of the Outsourced Mfg module. Until patched, restrict network reachability to the EBS web tier by placing it behind a VPN or reverse proxy with IP allow-listing, audit and reduce accounts with access to the Outsourced Mfg / Internal Operations responsibilities (since any low-privileged EBS user can exploit), and consider WAF rules in front of the affected servlet paths once Oracle identifies them in the CPU notes; these controls reduce attack surface but do not address the underlying flaw and may break legitimate workflows for outsourced manufacturing partners.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37282