This vulnerability exists in the Deployment Library component of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1. It is easily exploitable by a high privileged attacker with network access over HTTPS, allowing compromise and potential takeover of the platform. The vulnerability has a CVSS 3.1 score of 9.1, indicating critical impact on confidentiality, integrity, and availability, and scope change affecting additional products. Oracle's June 2026 Critical Security Patch Update advisory references this vulnerability and recommends applying the update promptly. No specific patch version is detailed in the advisory, but the update contains 245 security patches including fixes for this issue. Mitigation may include blocking required network protocols and removing unnecessary privileges until patches are applied.

Successful exploitation allows a high privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform, resulting in full takeover. This impacts confidentiality, integrity, and availability of the platform and may extend to additional Oracle products due to scope change. The CVSS 3.1 base score of 9.1 reflects critical severity with network attack vector, low attack complexity, and no user interaction required.

Oracle strongly recommends applying the June 2026 Critical Security Patch Update immediately to address this vulnerability along with others. Until patches are applied, risk can be reduced by blocking network protocols required by the attack and removing unnecessary privileges from users who do not need them. These mitigations may impact application functionality. Customers should remain on actively supported versions and apply security patches without delay as per Oracle's advisory.