Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network HTTP reach with a low-privileged OEM account suffices (AV:N, AC:L, PR:L, UI:N); scope change to managed Oracle products and full takeover give S:C and C:H/I:H/A:H.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Target Management). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Privilege escalation and full takeover in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Target Management component) allows a low-privileged attacker with HTTP network access to compromise the platform and impact other Oracle products via scope change. The flaw carries a CVSS 9.9 rating reflecting low attack complexity and broad confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Because Enterprise Manager often holds privileged credentials for managed Oracle databases and middleware, successful exploitation effectively pivots the attacker into the wider Oracle estate.
Technical ContextAI
Oracle Enterprise Manager Base Platform (OEM) is Oracle's centralized management framework for monitoring databases, middleware, engineered systems, and cloud workloads, exposed through an HTTP/HTTPS management console and agent communication channels. The vulnerable Target Management component handles registration, configuration, and orchestration of managed targets, and frequently stores named credentials, preferred credentials, and job execution rights. No CWE is published, but the CVSS vector (network HTTP, low privilege, scope=changed, C/I/A all High) is consistent with an authorization or input-handling defect in a Target Management endpoint that escapes its security boundary and reaches resources owned by other components or downstream managed targets.
RemediationAI
Apply the fixes delivered in Oracle's June 2026 Critical Patch Update (Patch available per vendor advisory at https://www.oracle.com/security-alerts/cspujun2026.html) to Oracle Enterprise Manager Base Platform 13.5 and 24.1 as soon as the maintenance window permits; an exact fixed build number is not in the supplied data and must be taken directly from the CPU matrix. Until patching, restrict network reachability of the OEM console and management ports to a dedicated administrative network or jump hosts, audit and remove unnecessary low-privilege OEM accounts, rotate named and preferred credentials stored in OEM, and increase monitoring of Target Management activity and job submissions; note that network restrictions can break legitimate operator and integration workflows, and credential rotation may interrupt scheduled jobs against managed targets.
Full takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible by a low-privileged remote attacker v
Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Metadata P
Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible through the Discovery Framework
Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network a
Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker ov
Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to
Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Deployment Library comp
Privileged remote tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Install component) allows an authe
Authenticated takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Agent Next Gen compo
Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthentica
Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component)
Full takeover of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1) is possible by an authenticated, high-
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37347