The vulnerability resides in the Client Bundle component of Oracle WebCenter Enterprise Capture. An attacker who can reach the application over the network using the T3 or IIOP protocols can exploit this flaw without needing elevated privileges. The flaw enables the attacker to compromise the WebCenter Enterprise Capture server with complete authority, allowing execution of arbitrary code, disclosure of confidential data, alteration of system integrity, and denial of service. The weakness is consistent with an improper access control flaw that permits unauthorized management operations.

Oracle WebCenter Enterprise Capture versions 12.2.1.4.0 and 14.1.2.0.0 are affected. These versions are part of Oracle Fusion Middleware and may be installed on enterprise server infrastructure.

The vulnerability has a CVSS 3.1 base score of 9.9, indicating critical impact across confidentiality, integrity, and availability. The EPSS score is below 1 %, suggesting that actual exploitation attempts are currently rare, but the attacker could still achieve a remote compromise due to the low effort required. The issue is not yet listed in the CISA KEV catalog, although its high severity warrants immediate attention. Attackers can reach the vulnerable component over the network, bypassing authentication and gaining full control of the target host and any connected Oracle services.