A vulnerability exists in the Oracle Enterprise Command Center Framework that permits a low‑privileged adversary with simple network connectivity over HTTP to create, delete, or alter data without authentication. The weakness stems from improper access control mechanisms, allowing an attacker to both access and modify sensitive information and to cause a partial denial of service. The impact therefore includes confidentiality loss, integrity violation, and limited availability disruption.

The affected vendors and products are Oracle Corporation’s Oracle Enterprise Command Center Framework, specifically versions 15 and 16. These releases are part of the Oracle E‑Business Suite Core component.

The CVSS 3.1 base score of 9.9 classifies the issue as critical, and the EPSS score of less than 1% suggests the likelihood of exploitation is low but non‑zero. The vulnerability is not currently listed in CISA’s KEV catalog. The attack vector is inferred to be remote over the network via HTTP, with low privilege required and no user interaction needed. An attacker can therefore achieve unauthorized data manipulation and partial denial of service when exploiting this flaw.