Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
JDENET is network-reachable with no authentication or user interaction, exploitation is described as easy, and successful attack yields full Tools takeover, justifying C:H/I:H/A:H.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication channel, per Oracle's June 2026 Critical Patch Update. The CVSS 9.8 score reflects full compromise of confidentiality, integrity, and availability via a network-reachable attack path with no user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
JDENET is the proprietary peer-to-peer network protocol that JD Edwards EnterpriseOne Tools uses between Enterprise Servers, HTML Servers, and other middle-tier components for inter-process messaging and call-object requests. The affected component is identified by Oracle as 'Enterprise Infrastructure Security,' meaning the flaw sits in the trust/authentication boundary of this internal bus. CWE is not assigned, but the combination of unauthenticated network reach and full CIA impact is consistent with broken authentication or insecure deserialization of JDENET messages, classes of bugs historically seen in this protocol family. The CPE cpe:2.3:a:oracle_corporation:jd_edwards_enterpriseone_tools covers all 9.2.x Tools releases up to 9.2.26.2.
RemediationAI
Apply the fix shipped in Oracle's June 2026 Critical Patch Update (cspujun2026) to JD Edwards EnterpriseOne Tools; an exact fixed Tools release number was not provided in the input, so administrators should follow the patched version referenced in https://www.oracle.com/security-alerts/cspujun2026.html (Patch available per vendor advisory). Until patches are deployed, restrict JDENET ports (typically 6015 and the configured JDENET port range) to only known Enterprise Server, HTML Server, and Deployment Server hosts via host-based firewalls or network ACLs, and ensure no JDENET listener is reachable from user VLANs, DMZs, or the internet - note this can disrupt cross-server call-object traffic if scopes are too narrow. Monitor JDENET listener logs and netstat for unexpected sources, and accelerate any upgrades from older 9.2.x Tools trains that may lag the June 2026 CPU baseline.
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Rated critical severity (CVS
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
Vulnerability in the Advanced Networking Option component of Oracle Database Server. Rated high severity (CVSS 8.3), thi
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37375