Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Network HTTP reachability with low complexity and no user interaction, but requires a high-privileged EBS account (PR:H); scope change and full CIA loss reflect cross-product impact within EBS.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Privileged takeover of Oracle Enterprise Command Center Framework (ECC) versions V15 and V16, a component of Oracle E-Business Suite, allows a high-privileged authenticated attacker with HTTP network access to fully compromise the ECC component and, through a scope change, significantly impact additional integrated products. Oracle's June 2026 Critical Patch Update advisory rates this CVSS 9.1 (C:H/I:H/A:H with S:C), and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a high-privileged authenticated session against the Oracle E-Business Suite web tier with reachability to the Enterprise Command Center Framework Core HTTP endpoints (PR:H, AV:N, AC:L, UI:N), and the target must be running ECC V15 or V16 as part of an EBS deployment. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H yields 9.1 - the high score is driven primarily by the scope change and full CIA impact, not by ease of access, since PR:H means the attacker must already hold high privileges within ECC or the EBS stack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a high-privileged EBS account - for example via phishing a functional administrator or abusing an over-privileged integration user - authenticates to the EBS web tier and issues crafted HTTP requests to an Oracle Enterprise Command Center Framework Core endpoint, taking over the ECC component. Because the flaw triggers a CVSS scope change, the attacker then leverages ECC's trust relationships to read or modify data and services in adjacent EBS products on the same middle tier. … |
| Remediation | Apply the patches from Oracle's June 2026 Critical Patch Update for Oracle E-Business Suite (https://www.oracle.com/security-alerts/cspujun2026.html), which is the only vendor-released remediation identified for ECC V15 and V16; an exact post-patch ECC build string is not enumerated in the input, so administrators should consult the CPU patch matrix for their EBS release to identify the specific ECC bundle patch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Oracle E-Business Suite deployments running ECC V15 or V16; enumerate all user accounts with administrative access to ECC consoles. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Privileged takeover of Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) a
Privilege escalation and full takeover of Oracle Enterprise Command Center Framework (versions V15 and V16) is achievabl
Scope-changing compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Su
Privileged data manipulation and disclosure in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privi
Remote unauthenticated takeover of Oracle Enterprise Command Center Framework (versions V15 and V16), a component of Ora
Cross-component compromise in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote atta
High-impact confidentiality and integrity compromise in Oracle Enterprise Command Center Framework V15 and V16 (a compon
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37388