Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable HTTP EAI endpoint (AV:N), no special timing or configuration (AC:L), any authenticated Siebel user suffices (PR:L), no user interaction, full component takeover yields C:H/I:H/A:H within the same authorization scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Siebel CRM Integration product of Oracle Siebel CRM (component: EAI). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Siebel CRM Integration. Successful attacks of this vulnerability can result in takeover of Siebel CRM Integration. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Account takeover of the Siebel CRM Integration component (EAI) in Oracle Siebel CRM versions 17.0 through 26.5 allows a low-privileged remote attacker with HTTP network access to fully compromise the integration component, impacting confidentiality, integrity, and availability. Oracle rates this 'easily exploitable' with CVSS 3.1 score 8.8, but no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
The flaw resides in the Enterprise Application Integration (EAI) component of Siebel CRM Integration, the middleware layer Oracle Siebel uses to exchange data with external systems via HTTP-based services (typically SOAP/XML or REST over the Siebel Web Engine). The CPE 'cpe:2.3:a:oracle_corporation:siebel_crm_integration' confirms the Oracle commercial CRM stack, not third-party connectors. No CWE is assigned in NVD, but Oracle's 'takeover' language combined with PR:L (any authenticated Siebel user) and full CIA impact is consistent with an authorization or input-handling flaw in an EAI service endpoint that allows privilege escalation or unrestricted action invocation within the integration subsystem.
RemediationAI
Apply the Oracle June 2026 Critical Patch Update (CPUJun2026) per https://www.oracle.com/security-alerts/cspujun2026.html, which contains the Siebel CRM fix; exact post-patch build numbers are published inside the CPU advisory matrix and should be matched to your installed version (17.0-26.5). Until the CPU can be applied, restrict network reachability to the Siebel EAI HTTP endpoints to known integration partners only via firewall or reverse-proxy ACLs, tighten Siebel responsibility/position assignments so that only the minimum set of accounts can authenticate to EAI services (eliminating the PR:L precondition for most users), and increase audit logging on EAI inbound requests to detect anomalous SOAP/REST calls - note that ACL restriction may break legitimate B2B integrations and should be coordinated with integration owners.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37377