This vulnerability exists in the Extensibility Framework component of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1. It is exploitable by a high privileged attacker with network access over HTTPS, allowing compromise of the platform. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) indicates network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. Oracle has published this vulnerability in its June 2026 Critical Security Patch Update advisory, which includes patches addressing this and other vulnerabilities. The advisory strongly urges customers to apply these patches without delay to prevent exploitation. Workarounds include blocking network protocols required by the attack or removing unnecessary privileges, though these may disrupt normal operations.

Successful exploitation can lead to complete compromise of Oracle Enterprise Manager Base Platform, affecting confidentiality, integrity, and availability of the system. This could allow an attacker to take over the platform, potentially impacting all managed resources and operations dependent on it.

Oracle has released patches for this vulnerability as part of the June 2026 Critical Security Patch Update. Customers are strongly advised to apply these patches promptly. Until patches are applied, risk can be partially mitigated by blocking network protocols required for exploitation or by removing unnecessary privileges from users. However, these mitigations may affect application functionality. Oracle recommends remaining on actively supported versions and applying security patches without delay. Patch status is confirmed by the vendor advisory linked.