Description
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Oracle JD Edwards EnterpriseOne Tools, located in the Enterprise Infrastructure Security component, allows an attacker with network access via the JDENET protocol to compromise the system without authentication. Exploitation of this flaw leads to total takeover of the tools, resulting in full compromise of confidentiality, integrity, and availability. The flaw permits execution of arbitrary code on the target system, effectively providing remote code execution capabilities to a remote attacker.

Affected Systems

Oracle JD Edwards EnterpriseOne Tools, versions 9.2.0.0 through 9.2.26.2, are affected. These versions are part of the JD Edwards EnterpriseOne suite provided by Oracle Corporation.

Risk and Exploitability

A CVSS v3.1 base score of 9.8 classifies this vulnerability as critical, indicating a high likelihood of successful exploitation. The EPSS score of less than 1% suggests that, at present, the probability of exploitation in the wild is low, and the vulnerability is not currently listed in the CISA KEV catalog. The attack can be carried out remotely over the network using JDENET, requires no authentication or user interaction, and can be executed from any host that can reach the JDENET port. Consequently, environments running the affected versions of JD Edwards EnterpriseOne Tools face a significant risk if they remain exposed to potential unauthenticated traffic.

Generated by OpenCVE AI on June 17, 2026 at 20:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle JD Edwards EnterpriseOne Tools to a patched version that resolves the vulnerability.
  • Restrict JDENET access to trusted hosts or apply firewall rules to block unauthenticated connections.
  • Implement network segmentation to isolate JD Edwards components from other business applications.

Generated by OpenCVE AI on June 17, 2026 at 20:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle jd Edwards Enterpriseone Tools
CPEs cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle jd Edwards Enterpriseone Tools
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Jd Edwards Enterpriseone Tools
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:17:46.645Z

Reserved: 2026-05-18T15:55:10.309Z

Link: CVE-2026-46878

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T03:15:02Z

Weaknesses

No weakness.