The vulnerability in Oracle Coherence’s Centralized Third Party Jars allows an unauthenticated attacker with network access over HTTP to take full control of the Coherence service. The flaw is trivially exploitable and has a CVSS base score of 10.0, indicating complete compromise of confidentiality, integrity, and availability. Successful exploitation would result in a full takeover of the Coherence deployment, potentially affecting additional connected Oracle Fusion Middleware components due to scope changes.

Affected versions are Oracle Coherence 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The issue is reachable over standard HTTP interfaces and requires no authentication, meaning any host on the network that can reach the Coherence HTTP endpoints is vulnerable.

The EPSS score of less than 1% indicates a very low current exploitation probability, but the CVSS rating of 10.0 demonstrates a catastrophic impact if the vulnerability is used. Attackers could leverage the unauthenticated HTTP path to execute arbitrary code or launch denial‑of‑service attacks against the Coherence cluster. Because authentication is not required, the attack vector is considered network‑based and could be performed from any external source that can reach the exposed HTTP endpoints.