Description
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Oracle Management Service). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in the Oracle Management Service component of Oracle Enterprise Manager Base Platform, enabling an unauthenticated attacker to gain full control over the system. The impact includes loss of confidentiality, integrity, and availability, meaning the attacker can exfiltrate data, modify configurations, and disrupt services.

Affected Systems

Affected editions are Oracle Enterprise Manager Base Platform 13.5 and 24.1. Both releases contain the vulnerable component, and hosts that expose the HTTP interface to external networks are at risk.

Risk and Exploitability

The CVSS score of 9.8 signals a critical flaw. Although the EPSS score is below 1%, indicating a low current exploitation probability, the issue is not listed in the CISA KEV catalog and no workaround is available; therefore, administrators must act quickly to secure the environment. The flaw is exploitable over HTTP without authentication, suggesting a direct remote interaction path.

Generated by OpenCVE AI on June 17, 2026 at 19:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Retrieve the latest security patch for Oracle Enterprise Manager Base Platform from the Oracle security alert at https://www.oracle.com/security-alerts/cspujun2026.html and apply it to all affected installations.
  • Restrict network access to the Management Service by limiting HTTP traffic to trusted IP ranges or by disabling the HTTP interface if it is not required.
  • Deploy an application firewall that filters traffic to the Management Service, ensuring that only authorized internal clients can reach the HTTP interface.

Generated by OpenCVE AI on June 17, 2026 at 19:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Oracle Management Service). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle enterprise Manager Base Platform
CPEs cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:24.1:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle enterprise Manager Base Platform
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Enterprise Manager Base Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T14:37:01.982Z

Reserved: 2026-05-18T15:55:10.307Z

Link: CVE-2026-46857

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T01:00:15Z

Weaknesses

No weakness.