Skip to main content

Oracle Enterprise Manager EUVDEUVD-2026-37365

| CVE-2026-46872 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.0
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H
vuln.today AI
9.0 CRITICAL

Network-reachable OMS HTTPS endpoint with low complexity but requiring high OEM admin privileges and no user interaction; scope change into managed Oracle products with limited confidentiality but high integrity and availability impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:35 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Install). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Manager Base Platform accessible data as well as unauthorized read access to a subset of Oracle Enterprise Manager Base Platform accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H).

AnalysisAI

Privileged remote tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Install component) allows an authenticated, high-privileged attacker over HTTPS to modify or destroy critical data, read a subset of data, and trigger a complete denial of service, with scope change extending impact to additional products. Oracle rates the issue CVSS 3.1 9.0 and there is no public exploit identified at time of analysis, but the scope-change behavior and broad impact warrant prompt patching during the next Oracle CPU window.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain privileged OEM admin credentials
Delivery
Reach OMS HTTPS management endpoint
Exploit
Invoke vulnerable Install component action
Execution
Trigger scope-change behavior
Persist
Modify or destroy OEM data and crash service
Impact
Impact managed Oracle targets downstream

Vulnerability AssessmentAI

Exploitation Attacker must already hold high OEM privileges (PR:H) - typically an OMS administrator role authorized to use the Install component for agent/plug-in deployment - and must reach the Oracle Management Server over its HTTPS management channel; no user interaction is required (UI:N) and complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The Oracle-published vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H yields 9.0 primarily because of scope change combined with high integrity and availability impact - a single OEM administrator action can cascade into managed Oracle products. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or compromised a high-privileged OEM administrator account (for example via a phished SSO session or reused credentials) connects to the OMS over HTTPS and invokes the vulnerable Install-component action, abusing the scope-change behavior to corrupt OEM metadata and push a malicious or destructive operation that crashes OEM and impacts managed Oracle targets. No public exploit identified at time of analysis, so an actor would need to derive exploitation details from the Oracle CPU advisory or independent reverse engineering.
Remediation Apply the Oracle June 2026 Critical Patch Update bundle for Oracle Enterprise Manager Base Platform 13.5 and 24.1 as documented at https://www.oracle.com/security-alerts/cspujun2026.html; exact patched build numbers are listed in that advisory and should be referenced directly rather than from third parties. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Enterprise Manager Base Platform 13.5 and 24.1; audit and restrict high-privileged account access to essential personnel only; enable detailed logging for all management console authentication and administrative actions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-46855 CRITICAL
9.9 Jun 16

Full takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible by a low-privileged remote attacker v

CVE-2026-46852 CRITICAL
9.9 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Metadata P

CVE-2026-46854 CRITICAL
9.9 Jun 16

Privilege escalation and full takeover in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Target Management compo

CVE-2026-46832 CRITICAL
9.9 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible through the Discovery Framework

CVE-2026-46857 CRITICAL
9.8 Jun 16

Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network a

CVE-2026-46856 CRITICAL
9.6 Jun 16

Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker ov

CVE-2026-46853 CRITICAL
9.6 Jun 16

Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to

CVE-2026-46875 CRITICAL
9.1 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Deployment Library comp

CVE-2026-46864 HIGH
8.8 Jun 16

Authenticated takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Agent Next Gen compo

CVE-2026-46866 HIGH
8.2 Jun 16

Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthentica

CVE-2026-46865 HIGH
8.2 Jun 16

Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component)

CVE-2026-46868 HIGH
7.2 Jun 16

Full takeover of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1) is possible by an authenticated, high-

Share

EUVD-2026-37365 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy