This vulnerability exists in the Metadata Plugin component of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1. It is easily exploitable by an attacker with low privileges and network access over HTTPS, enabling compromise and potential takeover of the platform. The vulnerability has a CVSS 3.1 score of 9.9, indicating critical impact on confidentiality, integrity, and availability. The scope of impact extends beyond the base platform to other Oracle products. Oracle's June 2026 Critical Security Patch Update advisory includes this vulnerability among 245 security patches and strongly urges customers to apply patches promptly.

Successful exploitation can lead to complete takeover of Oracle Enterprise Manager Base Platform, affecting confidentiality, integrity, and availability of the system. The vulnerability's scope change means additional Oracle products may also be impacted. This represents a critical risk to affected environments if unpatched.

Oracle strongly recommends applying the June 2026 Critical Security Patch Update as soon as possible to remediate this vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation and by removing unnecessary privileges or package access from users. These mitigations may impact application functionality. Patch status is not explicitly confirmed in the advisory, but the Critical Security Patch Update contains the relevant fixes. Customers should consult the Oracle advisory at https://www.oracle.com/security-alerts/cspujun2026.html for detailed patch availability and installation instructions.