Skip to main content

JD Edwards EnterpriseOne Tools EUVDEUVD-2026-37371

| CVE-2026-46879 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

JDENET is network-reachable (AV:N), Oracle calls it easily exploitable (AC:L), no auth or interaction is needed (PR:N/UI:N), and full takeover yields H/H/H within the Tools scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:32 vuln.today

DescriptionCVE.org

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication channel, per Oracle's June 2026 Critical Patch Update. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) and Oracle's own 'easily exploitable' wording indicate trivial exploitation, with full confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed JDENET listener
Delivery
Reach JDENET TCP port over network
Exploit
Send crafted JDENET message
Execution
Trigger flaw in Enterprise Infrastructure Security
Persist
Gain Tools-layer code execution
Impact
Take over EnterpriseOne environment

Vulnerability AssessmentAI

Exploitation The attacker only needs network reachability to the JDENET protocol listener on a JD Edwards EnterpriseOne Tools 9.2.0.0-9.2.26.2 server; no authentication, no user interaction, and no special non-default configuration is required per the CVSS AV:N/AC:L/PR:N/UI:N vector and Oracle's 'easily exploitable' wording. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to high real-world priority: the CVSS 9.8 vector is fully network-reachable, low complexity, no privileges, no user interaction, with H/H/H impact, and Oracle itself flags it 'easily exploitable' and resulting in 'takeover.' EPSS, KEV listing, and SSVC decision data are not provided in the input, so quantitative exploitation probability and automatability cannot be confirmed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to a JD Edwards EnterpriseOne server (for example a foothold on an internal workstation, a compromised business partner VPN, or a misconfigured perimeter exposing JDENET) sends a crafted JDENET message to the kernel listener and gains takeover of the Tools layer without any credentials or user interaction. Given Oracle's 'easily exploitable' framing and AC:L, weaponization should be assumed feasible by a skilled attacker once technical details emerge, even though no public exploit identified at time of analysis.
Remediation Apply the fix delivered in Oracle's June 2026 Critical Patch Update for JD Edwards EnterpriseOne Tools as documented at https://www.oracle.com/security-alerts/cspujun2026.html; Oracle's advisory is the authoritative source for the exact patched Tools release that supersedes 9.2.26.2 - patch available per vendor advisory, exact post-9.2.26.2 fix version should be taken directly from the CPU matrix rather than assumed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all JD Edwards deployments; assess which systems expose JDENET to untrusted networks (external internet, DMZ, or partner connections) and immediately isolate them or restrict access to trusted internal sources only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-5645 CRITICAL POC
9.8 Apr 17

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events

CVE-2015-1793 MEDIUM POC
6.5 Jul 09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly

CVE-2017-3730 HIGH POC
7.5 May 04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

CVE-2020-11113 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2021-42013 CRITICAL POC
9.8 Oct 07

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Rated critical severity (CVS

CVE-2020-35728 HIGH
8.1 Dec 27

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-2733 CRITICAL POC
9.8 Apr 15

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics)

CVE-2020-9548 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9547 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-36183 HIGH POC
8.1 Jan 07

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2021-2351 HIGH POC
8.3 Jul 21

Vulnerability in the Advanced Networking Option component of Oracle Database Server. Rated high severity (CVSS 8.3), thi

Share

EUVD-2026-37371 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy