This vulnerability exists in Oracle Financials for EMEA (component: Internal Operations) within Oracle E-Business Suite, specifically affecting version 12.2.3. It allows a high privileged attacker with network access over HTTP to compromise the product, potentially resulting in complete takeover. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) indicates network attack vector, low attack complexity, required high privileges, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. The vendor advisory from Oracle's June 2026 Critical Security Patch Update strongly recommends applying the update to address this and other vulnerabilities. No direct patch link or fixed version is explicitly stated for this CVE in the advisory content provided, so patch status is not yet confirmed. Oracle also suggests mitigating risk by blocking attack-related network protocols or removing unnecessary privileges until patches are applied, though these may affect application functionality.

The vulnerability allows a high privileged attacker with network access via HTTP to fully compromise Oracle Financials for EMEA, impacting confidentiality, integrity, and availability of the system. This can lead to complete takeover of the affected product, potentially exposing sensitive financial data and disrupting business operations.

Oracle strongly recommends applying the June 2026 Critical Security Patch Update as soon as possible to remediate this vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation and by removing unnecessary privileges from users, though these measures may disrupt normal application functionality. Patch status is not explicitly confirmed in the advisory; customers should consult the official Oracle Critical Security Patch Update documentation for detailed patch availability and installation instructions.