This vulnerability resides in the Enterprise Infrastructure Security component of JD Edwards EnterpriseOne Tools. It permits an attacker without any authentication to gain full control of the application through the JDENET network interface. Unauthorized intrusion can lead to direct manipulation, deletion, or exfiltration of data and alteration of system configurations, effectively granting the attacker administrative privileges across the platform. The flaw is a classic example of improper authentication (CWE-287), resulting in confidentiality, integrity, and availability compromise.

The issue affects Oracle JD Edwards EnterpriseOne Tools versions 9.2.0.0 through 9.2.26.2. Systems running any of these releases must be examined to confirm deployment of the tool, as the vulnerability is embedded in the core Enterprise Infrastructure Security component.

The CVSS 3.1 Base Score of 9.8 denotes critical impact, and the EPSS score of less than 1% indicates a low but non‑zero likelihood of exploitation at the time of publishing. The vulnerability is not listed in CISA’s KEV catalog, yet the lack of authentication combined with network reachability renders it highly attractive to adversaries. Attackers would need only network access to the JDENET port to trigger the flaw; no user interaction or privilege escalation steps are required beyond exploiting the unauthenticated entry point.