Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable via SMB (AV:N), Oracle states easily exploitable (AC:L), requires a low-privileged account (PR:L), no user interaction, and full takeover with scope change to adjacent products.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the JD Edwards EnterpriseOne General Ledger product of Oracle JD Edwards (component: E1 Foundation). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via SMB to compromise JD Edwards EnterpriseOne General Ledger. While the vulnerability is in JD Edwards EnterpriseOne General Ledger, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne General Ledger. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Privilege escalation and full takeover of Oracle JD Edwards EnterpriseOne General Ledger 9.2 (E1 Foundation component) is possible by a low-privileged network attacker via SMB, with scope change to other products. No public exploit identified at time of analysis, but the CVSS 9.9 score and 'easily exploitable' vendor characterization make this a high-priority patching target for ERP operators.
Technical ContextAI
The affected component is the E1 Foundation layer of JD Edwards EnterpriseOne General Ledger, the financial accounting module within Oracle's JD Edwards ERP suite. The attack vector is SMB (Server Message Block), indicating the vulnerable code path is reachable over a Windows file-sharing service exposed by or used by the E1 Foundation. No CWE was assigned by Oracle, which is typical for Oracle Critical Patch Update advisories - Oracle historically withholds detailed root cause information, so the exact weakness class (deserialization, path traversal, authentication bypass, etc.) cannot be determined from the supplied data. The CPE 'cpe:2.3:a:oracle_corporation:jd_edwards_enterpriseone_general_ledger' confirms the affected product family, with version 9.2 specifically identified.
RemediationAI
Apply the patches from Oracle's June 2026 Critical Patch Update for JD Edwards (Patch available per vendor advisory: https://www.oracle.com/security-alerts/cspujun2026.html) - an exact fix tools-release version is not enumerated in the supplied data, so confirm the specific Tools Release or ESU level in the CPU matrix before deploying. Until patched, restrict SMB exposure of JD Edwards EnterpriseOne servers: block TCP/445 inbound from untrusted networks at the perimeter and host firewall, segment JDE application and database tiers from general user VLANs, and limit SMB share access to a minimal allowlist of administrative accounts (side effect: may break legitimate batch-print, UBE output, or integration workflows that rely on SMB shares - test these before enforcement). Increase monitoring of authentication events and SMB activity against the JDE Foundation, and review low-privileged accounts that can reach the host since PR:L means even a constrained user is sufficient for exploitation.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37385