Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description states easily exploitable, unauthenticated, HTTP-reachable, resulting in full component takeover - supports AV:N/AC:L/PR:N/UI:N with C:H/I:H/A:H and unchanged scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps - Marketing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible over HTTP, requiring no privileges or user interaction. Successful exploitation yields full compromise of the Marketing component with high confidentiality, integrity, and availability impact (CVSS 9.8). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
Siebel Apps - Marketing is the campaign management module of Oracle's Siebel CRM suite, used by enterprises to design, execute, and track multi-channel marketing campaigns. The CPE 'cpe:2.3:a:oracle_corporation:siebel_apps_-_marketing' confirms the affected component is the Marketing application itself rather than a shared infrastructure layer. Oracle has not published a CWE classification, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) combined with 'takeover' language is consistent with a pre-authentication flaw in an internet-reachable HTTP endpoint - typically arising from authentication bypass, deserialization, injection, or broken access control in the web tier.
RemediationAI
Patch available per vendor advisory: apply the fixes shipped in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) - Oracle does not publish discrete fix version strings in CPU listings, so consult the advisory matrix for the exact post-CPU patch level matching your Siebel release. Until the CPU can be applied, restrict network reachability of the Siebel Apps - Marketing HTTP endpoints to trusted internal management networks via firewall or reverse-proxy ACLs (side effect: legitimate remote marketing users will lose access), and place a WAF in front of the Marketing servlet paths to block anomalous unauthenticated POST/GET traffic (side effect: potential false positives on campaign-import workflows). Increase logging on the Marketing web tier and monitor for unauthenticated requests reaching administrative or campaign-execution URLs.
More in Siebel Apps Marketing
View allWhen using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a)
Remote takeover of Oracle Siebel CRM's Siebel Apps - Marketing component (versions 17.0 through 26.5) is possible by una
Unauthenticated remote takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible via HTTP, all
Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is achievable over HTTP,
Authenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) allows a low-privileged attacker w
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. Rated low severity (CVSS 3.7), this
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37376