The vulnerability is described as difficult to exploit and allows a high‑privileged attacker who is already a logon user on the infrastructure where Oracle Application Development Framework (ADF) runs to compromise that framework. When exploited, the attacker can obtain unauthorized access to critical data or all data that ADF can access, as well as perform unauthorized updates, inserts or deletions. The CVSS 3.1 score of 4.7 indicates moderate impact on confidentiality and a low but non‑zero impact on integrity.

Affected products are Oracle Corporation’s Oracle Application Development Framework (ADF) component of Oracle Fusion Middleware, specifically the ADF Faces part. The vulnerable releases are 12.2.1.4.0 and 14.1.2.0.0.

Because the attack requires local access (AV:L) and high privileges (PR:H) and does not require user interaction (UI:N), the EPSS score is reported as less than 1 %. The vulnerability is not listed in the CISA KEV catalog, which indicates no known active exploitation. However, if an attacker gains local high‑privileged access, they can achieve significant data exposure or modification. The moderate CVSS score reflects that while the vulnerability is not trivial, it carries real risk if the prerequisites for exploitation are met.