This vulnerability affects Oracle Enterprise Asset Management versions 12.2.6 through 12.2.15 and allows an attacker with low privileges and network access via HTTP to compromise the product. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates network attack vector, low attack complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Oracle's June 2026 Critical Security Patch Update includes fixes for this vulnerability among 245 other patches. Oracle strongly recommends applying these patches immediately to prevent exploitation. No known exploits in the wild have been reported as of the advisory date.

Successful exploitation can lead to complete takeover of Oracle Enterprise Asset Management, affecting confidentiality, integrity, and availability of the system. This could allow attackers to access sensitive data, modify or disrupt operations, and potentially control the affected environment.

Oracle has released a Critical Security Patch Update in June 2026 that addresses this vulnerability. Customers should apply the June 2026 Critical Security Patch Update without delay to remediate this issue. Until patches are applied, risk may be reduced by blocking network protocols required by the attack and by removing unnecessary privileges from users. Oracle strongly recommends remaining on actively-supported versions and applying security patches promptly. Patch status is confirmed by the vendor advisory.