Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Network-reachable OMS console (AV:N), no special timing (AC:L), requires EM admin role to reach Extensibility Framework (PR:H), no second-user interaction (UI:N), full OMS takeover gives C:H/I:H/A:H within same scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Extensibility Framework). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Full takeover of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1) is possible by an authenticated, high-privileged attacker abusing the Extensibility Framework over HTTPS, yielding complete confidentiality, integrity, and availability compromise of the management platform. Oracle disclosed the issue in the June 2026 Critical Patch Update with a CVSS 3.1 base score of 7.2, and no public exploit identified at time of analysis. Because EM Base Platform manages large fleets of Oracle databases and middleware, a successful compromise gives an attacker a high-value pivot point even though privileged access is required to trigger it.
Technical ContextAI
Oracle Enterprise Manager Base Platform is Oracle's central management framework used to monitor and administer Oracle databases, Fusion Middleware, engineered systems, and cloud workloads. The flaw resides in the Extensibility Framework, the subsystem that loads plug-ins (Management Plug-Ins/Metric Extensions) into the OMS so administrators can extend monitoring to additional targets. The CPE 'cpe:2.3:a:oracle_corporation:oracle_enterprise_manager_base_platform' confirms scope is limited to the Base Platform component rather than packaged DB or middleware targets. No CWE was assigned by Oracle, but the combination of high-privilege requirement plus full C/I/A impact on the OMS itself is consistent with a privileged-functionality abuse or unsafe deserialization/plug-in-loading pattern that yields code execution within the Management Server process.
RemediationAI
Apply the Oracle Critical Patch Update Advisory for June 2026 (cspujun2026) to Enterprise Manager Base Platform 13.5 and 24.1 as the primary fix - see https://www.oracle.com/security-alerts/cspujun2026.html for the bundle patch numbers and OPatch instructions per OMS release. Patch available per vendor advisory; no exact fix version was provided in the input, so reference the CPU README for the matching EM 13.5 RU and EM 24ai patch IDs before deployment. Until the CPU is applied, compensating controls include restricting EM administrative accounts (those with EM_ALL_OPERATOR/Super Administrator) to a small named set, enforcing MFA on the EM console, limiting network reachability of the OMS HTTPS console (default 7803) to a management VLAN or jump host, and auditing the MGMT$EM_USERS view and Extensibility/Plug-in deployment logs for unexpected uploads - note that tightening plug-in deployment will block legitimate administrator workflows for adding new monitoring targets, so coordinate with the EM operations team.
Full takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible by a low-privileged remote attacker v
Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Metadata P
Privilege escalation and full takeover in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Target Management compo
Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible through the Discovery Framework
Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network a
Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker ov
Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to
Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Deployment Library comp
Privileged remote tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Install component) allows an authe
Authenticated takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Agent Next Gen compo
Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthentica
Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component)
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37361