Impact
A critical flaw exists in the Client Bundle component of Oracle WebCenter Enterprise Capture, where an unauthenticated attacker can exploit the remote method invocation (RMI) interface. Because the RMI service fails to enforce proper authentication and authorization (CWE‑306), the vulnerability allows complete compromise of the application. Successful exploitation grants the attacker full control, enabling arbitrary code execution and the ability to read, modify, or delete data while disrupting services. The flaw also carries a scope change, meaning that compromise of Oracle WebCenter Enterprise Capture may potentially affect other Oracle Fusion Middleware components deployed in the same environment.
Affected Systems
Oracle WebCenter Enterprise Capture versions 12.2.1.4.0 and 14.1.2.0.0 are affected. These editions are part of Oracle Fusion Middleware and are typically deployed in on‑premises or cloud environments that host Oracle WebCenter Enterprise Capture.
Risk and Exploitability
The CVSS 3.1 base score of 10.0 denotes a complete compromise of confidentiality, integrity, and availability. The EPSS score of less than 1% indicates a very low probability of a real‑world exploit at the time of assessment, yet the severity remains critical. The vulnerability is not listed in the CISA KEV catalog. The likely attack path requires only network access to the RMI port; no user interaction or privileged credentials are needed.
OpenCVE Enrichment