Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
RMI is network-reachable (AV:N) with no auth (PR:N) or interaction (UI:N); Oracle confirms scope change (S:C) with full takeover yielding C:H/I:H/A:H.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via RMI to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0) is possible via the Client Bundle component over RMI, allowing unauthenticated network attackers to fully compromise the product and pivot into other Fusion Middleware components due to a CVSS scope change. With a maximum 10.0 CVSS score, low attack complexity, and no privileges or user interaction required, this is a top-priority issue, though no public exploit identified at time of analysis. Oracle disclosed the issue in its June 2026 Critical Patch Update.
Technical ContextAI
Oracle WebCenter Enterprise Capture is a document imaging and capture platform within the Oracle Fusion Middleware stack used to scan, index, and route documents into enterprise content systems. The vulnerability is reachable through the Client Bundle component, which communicates with the server over Java RMI (Remote Method Invocation) - a protocol historically associated with insecure Java deserialization and remote object invocation flaws in Oracle Fusion Middleware. While the CWE is not provided, the combination of RMI exposure, unauthenticated network reach, and scope change is consistent with a deserialization-of-untrusted-data or unsafe remote method exposure pattern (CWE-502/CWE-306 class) commonly seen in Oracle WebLogic and Fusion Middleware RMI-facing services. The affected CPE is oracle_corporation:oracle_webcenter_enterprise_capture across versions 12.2.1.4.0 and 14.1.2.0.0.
RemediationAI
Patch available per vendor advisory - apply the fixes bundled in the Oracle June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) for both Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0; exact post-patch version identifiers should be taken directly from Oracle's CPU patch matrix. Until patching is complete, restrict network access to the RMI listener (commonly the WebLogic/Fusion Middleware RMI port) to trusted management networks only via firewall ACLs - note this will break legitimate Capture Client Bundle traffic from any blocked subnets and may require relocating client workstations or jump hosts. Additionally, consider disabling or constraining the Client Bundle component if it is not in active use, accepting that Capture's thick-client document ingestion workflows will stop functioning, and monitor for anomalous Java deserialization patterns or unexpected outbound connections from the Capture host as a detective control.
Remote unauthenticated takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is possible via the RMI
Remote takeover of Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0) is possible by a low-privile
Takeover of Oracle WebCenter Enterprise Capture is achievable by a low-privileged remote attacker via the T3 protocol in
Authenticated takeover of Oracle WebCenter Enterprise Capture (12.2.1.4.0 and 14.1.2.0.0) is achievable by a low-privile
Remote takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is possible by a low-privileged attacke
Remote takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is possible via the Client Bundle compo
Remote takeover of Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0) is possible by a low-privile
Remote takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privileged attac
Account takeover of Oracle WebCenter Enterprise Capture (12.2.1.4.0 and 14.1.2.0.0) is achievable by a low-privileged at
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37296