Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Oracle states unauthenticated network exploitation over JDENET with no user interaction and full takeover, so AV:N/AC:L/PR:N/UI:N and C:H/I:H/A:H with unchanged scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Unauthenticated remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible via the JDENET network protocol, granting full confidentiality, integrity, and availability impact on the ERP middleware. Oracle rates this CVSS 9.8 and describes it as easily exploitable, but at the time of analysis there is no public exploit identified and no CISA KEV listing. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the JDENET protocol port of an Oracle JD Edwards EnterpriseOne Tools 9.2.0.0-9.2.26.2 enterprise server; no authentication, no user interaction, and no special non-default configuration are required per the AV:N/AC:L/PR:N/UI:N vector and Oracle's 'easily exploitable' phrasing. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H describes the worst-case profile: network-reachable, no authentication, no user interaction, and full CIA impact - Oracle's own text reinforces this with 'easily exploitable' and 'takeover.' There is no EPSS score, no SSVC decision, no POC reference, and no CISA KEV entry provided, so exploitation telemetry is absent and the score is currently a capability rating rather than evidence of mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with TCP reach to a JDE enterprise server's JDENET port sends a crafted JDENET message to the Enterprise Infrastructure Security component and, without supplying credentials or requiring any user action, gains full control of the JD Edwards EnterpriseOne Tools instance. From that foothold the attacker can read or modify ERP data - finance, HR, supply chain - and pivot to back-end databases that the JDE service account can reach. … |
| Remediation | Apply the fixes from Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) by upgrading JD Edwards EnterpriseOne Tools to the patched 9.2 release listed in that advisory; the input data does not specify a single fixed build number, so consult the CPU patch matrix for the exact target version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all JD Edwards EnterpriseOne Tools systems running versions 9.2.0.0 through 9.2.26.2 and assess network accessibility of JDENET protocol endpoints. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Rated critical severity (CVS
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
Vulnerability in the Advanced Networking Option component of Oracle Database Server. Rated high severity (CVSS 8.3), thi
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37374