This vulnerability affects Oracle Public Sector Payroll, a component of Oracle E-Business Suite, specifically versions 12.2.3 through 12.2.15. It is exploitable by a high privileged attacker with network access over HTTP without user interaction, allowing compromise and potential takeover of the affected system. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) reflects network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. Oracle has addressed this vulnerability in its June 2026 Critical Security Patch Update, which contains targeted security fixes. Oracle strongly advises customers to apply these patches immediately to mitigate the risk. Workarounds include blocking network protocols required by the attack or removing unnecessary privileges, but these may disrupt normal operations.

Successful exploitation allows a high privileged attacker with network access via HTTP to fully compromise Oracle Public Sector Payroll, impacting confidentiality, integrity, and availability of the system. This can lead to complete takeover of the payroll system, potentially affecting sensitive payroll data and operations.

Oracle has released a Critical Security Patch Update in June 2026 that addresses this vulnerability. Customers are strongly advised to apply the available security patches without delay to remediate this issue. Until patches are applied, risk can be partially mitigated by blocking network protocols required for exploitation and by removing unnecessary privileges from users, though these measures may affect application functionality. Oracle recommends remaining on actively-supported versions and promptly applying all security updates.