An Oracle Enterprise Command Center Framework vulnerability allows a remote attacker with low privileges, who can access the system over HTTP, to create, delete or modify critical data and potentially disrupt service partially. The flaw permits the attacker to read or fully access all data exposed by the framework, leading to significant confidentiality and integrity violations. The description indicates the weakness can change the scope to affect additional Oracle products, amplifying the damage.

The affected product is Oracle Enterprise Command Center Framework version 15 and 16, which are components of Oracle E‑Business Suite. Hosts running these versions on any environment that expose the framework over HTTP are vulnerable.

The CVSS 3.1 base score of 9.9 highlights high severity, while an EPSS score of less than 1 % shows a low probability of widespread exploitation at this time. The flaw is not listed in the CISA KEV catalog. A low‑privileged attacker can exploit the vulnerability directly over the network using an unauthenticated HTTP connection; no user interaction is required. Successful exploitation can lead to unauthorized data manipulation, exposure, and partial denial of service, and may extend to other related products due to the scope change.