Skip to main content

JD Edwards EnterpriseOne EUVDEUVD-2026-37385

| CVE-2026-46893 CRITICAL
Improper Privilege Management (CWE-269)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable via SMB (AV:N), Oracle states easily exploitable (AC:L), requires a low-privileged account (PR:L), no user interaction, and full takeover with scope change to adjacent products.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:25 vuln.today

DescriptionCVE.org

Vulnerability in the JD Edwards EnterpriseOne General Ledger product of Oracle JD Edwards (component: E1 Foundation). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via SMB to compromise JD Edwards EnterpriseOne General Ledger. While the vulnerability is in JD Edwards EnterpriseOne General Ledger, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne General Ledger. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privilege escalation and full takeover of Oracle JD Edwards EnterpriseOne General Ledger 9.2 (E1 Foundation component) is possible by a low-privileged network attacker via SMB, with scope change to other products. No public exploit identified at time of analysis, but the CVSS 9.9 score and 'easily exploitable' vendor characterization make this a high-priority patching target for ERP operators.

Technical ContextAI

The affected component is the E1 Foundation layer of JD Edwards EnterpriseOne General Ledger, the financial accounting module within Oracle's JD Edwards ERP suite. The attack vector is SMB (Server Message Block), indicating the vulnerable code path is reachable over a Windows file-sharing service exposed by or used by the E1 Foundation. No CWE was assigned by Oracle, which is typical for Oracle Critical Patch Update advisories - Oracle historically withholds detailed root cause information, so the exact weakness class (deserialization, path traversal, authentication bypass, etc.) cannot be determined from the supplied data. The CPE 'cpe:2.3:a:oracle_corporation:jd_edwards_enterpriseone_general_ledger' confirms the affected product family, with version 9.2 specifically identified.

RemediationAI

Apply the patches from Oracle's June 2026 Critical Patch Update for JD Edwards (Patch available per vendor advisory: https://www.oracle.com/security-alerts/cspujun2026.html) - an exact fix tools-release version is not enumerated in the supplied data, so confirm the specific Tools Release or ESU level in the CPU matrix before deploying. Until patched, restrict SMB exposure of JD Edwards EnterpriseOne servers: block TCP/445 inbound from untrusted networks at the perimeter and host firewall, segment JDE application and database tiers from general user VLANs, and limit SMB share access to a minimal allowlist of administrative accounts (side effect: may break legitimate batch-print, UBE output, or integration workflows that rely on SMB shares - test these before enforcement). Increase monitoring of authentication events and SMB activity against the JDE Foundation, and review low-privileged accounts that can reach the host since PR:L means even a constrained user is sufficient for exploitation.

Share

EUVD-2026-37385 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy