This vulnerability affects Oracle Enterprise Asset Management component of Oracle E-Business Suite, specifically versions 12.2.3 through 12.2.15. It is exploitable remotely over HTTP by an attacker with low privileges and no user interaction required. Successful exploitation can lead to unauthorized access to sensitive or all accessible data and cause a partial denial of service. The vulnerability is rated with a CVSS 3.1 score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L). Oracle has published this issue as part of its June 2026 Critical Security Patch Update advisory, which includes 245 security patches across multiple products. The advisory emphasizes the importance of applying these patches promptly to prevent exploitation. However, no specific patch version or remediation instructions for this vulnerability alone are detailed in the advisory.

Exploitation of this vulnerability can result in unauthorized access to critical or all accessible data within Oracle Enterprise Asset Management. It also allows an attacker to cause a partial denial of service, impacting availability. The confidentiality impact is high, while integrity impact is not affected, and availability impact is low according to the CVSS vector.

Oracle strongly recommends applying the June 2026 Critical Security Patch Update, which includes fixes for this vulnerability among others. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation and by removing unnecessary privileges or package access from users. Oracle advises customers to remain on actively supported versions and to apply security patches without delay. Patch status is not explicitly confirmed for this specific vulnerability beyond the general advisory; customers should consult the Oracle Critical Security Patch Update advisory at https://www.oracle.com/security-alerts/cspujun2026.html for the latest remediation guidance.