Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable HTTP endpoint (AV:N), low complexity (AC:L), requires a low-privileged EBS account per description (PR:L), no user interaction (UI:N), scope change into other EBS modules (S:C), full takeover (C:H/I:H/A:H).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Privilege escalation and full takeover of Oracle Enterprise Command Center Framework (versions V15 and V16) is achievable by a low-privileged remote attacker over HTTP, with a scope change that lets the compromise impact other Oracle E-Business Suite components. The flaw carries a CVSS 3.1 base score of 9.9 (C:H/I:H/A:H, S:C). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
Oracle Enterprise Command Center Framework (ECC) is an analytics and discovery layer bundled with Oracle E-Business Suite (EBS) that exposes data-driven dashboards over HTTP through the EBS application tier. The advisory identifies the affected component as 'Core', meaning the framework's central request-handling/authorization logic rather than a specific dashboard plugin. No CWE is assigned in the input, but the CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C, full C/I/A impact) is characteristic of an authorization or trust-boundary flaw where a low-privileged session can pivot beyond ECC into adjoining EBS modules sharing the same application tier. The affected CPE 'cpe:2.3:a:oracle_corporation:oracle_enterprise_command_center_framework:*' covers all releases of ECC V15 and V16 per the ENISA EUVD record (EUVD-2026-37387).
RemediationAI
Patch available per vendor advisory: apply the Oracle Critical Patch Update of June 2026 for Oracle E-Business Suite as documented at https://www.oracle.com/security-alerts/cspujun2026.html, which delivers the fix for both ECC V15 and V16 - Oracle does not publish discrete patched ECC build numbers in the input data, so administrators should follow the CPU's per-product patch matrix to identify the exact bundle for their EBS release. Until the CPU is applied, restrict network reachability of the EBS application tier (and specifically the ECC URLs under /OA_HTML/ and /ecc/) to trusted corporate networks or VPN clients via the reverse proxy or WAF, accepting that this breaks external user dashboards; tighten EBS responsibility assignments so the pool of users holding even low-privileged ECC access is minimized, accepting added administrative overhead; and increase monitoring of EBS access logs for anomalous low-privilege users hitting ECC endpoints. Do not rely on these compensating controls as a long-term substitute for the CPU.
Privileged takeover of Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) a
Scope-changing compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Su
Privileged data manipulation and disclosure in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privi
Remote unauthenticated takeover of Oracle Enterprise Command Center Framework (versions V15 and V16), a component of Ora
Cross-component compromise in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote atta
Privileged takeover of Oracle Enterprise Command Center Framework (ECC) versions V15 and V16, a component of Oracle E-Bu
High-impact confidentiality and integrity compromise in Oracle Enterprise Command Center Framework V15 and V16 (a compon
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37387