Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Oracle states unauthenticated HTTP exploitation with takeover impact, so AV:N/AC:L/PR:N/UI:N with full C/I/A; scope unchanged as compromise stays within the EM trust boundary.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Oracle Management Service). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network attackers to fully compromise the Oracle Management Service via HTTP. The flaw is rated CVSS 9.8 with low attack complexity and no user interaction, enabling complete takeover of the management platform. No public exploit identified at time of analysis, but the trivial exploitation profile and the platform's privileged role across managed Oracle estates make it a high-priority patching target.
Technical ContextAI
Oracle Enterprise Manager Base Platform is the central management framework Oracle customers use to monitor and administer databases, middleware, and engineered systems. The vulnerable component is the Oracle Management Service (OMS), the HTTP-facing tier (typically WebLogic-based) that brokers communication between agents, the management repository, and the console. CWE is not assigned in the input; based on the CVSS vector (network, low complexity, no privileges, no UI) and Oracle's 'takeover' language, the root cause is most plausibly an authentication bypass or unauthenticated request-handling flaw in an OMS HTTP endpoint, but the precise weakness class is not disclosed by Oracle's advisory style. The CPE cpe:2.3:a:oracle_corporation:oracle_enterprise_manager_base_platform covers the platform itself rather than a specific OMS subcomponent.
RemediationAI
Apply the patch available per vendor advisory in Oracle's June 2026 Critical Patch Update at https://www.oracle.com/security-alerts/cspujun2026.html, covering Enterprise Manager Base Platform 13.5 and 24.1; Oracle's CPU bundles the specific OMS patch IDs and prerequisite stack patches that should be applied to each OMS home. Until the CPU can be staged, restrict network reachability of the OMS HTTPS console and upload ports (typically 7799/7803 and the 4900-range) to a trusted management VLAN or jump-host range, recognising that this breaks agent uploads from any host outside the allowlist and may leave targets unmonitored. Place a reverse proxy or WAF in front of OMS to log and rate-limit unauthenticated HTTP requests, accepting the operational cost of console latency and potential agent timeouts, and rotate any OMS-stored credentials after patching given the takeover-class impact.
Full takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible by a low-privileged remote attacker v
Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Metadata P
Privilege escalation and full takeover in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Target Management compo
Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible through the Discovery Framework
Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker ov
Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to
Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Deployment Library comp
Privileged remote tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Install component) allows an authe
Authenticated takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Agent Next Gen compo
Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthentica
Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component)
Full takeover of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1) is possible by an authenticated, high-
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37350