The feature enabling Oracle Enterprise Command Center Framework to accept HTTPS traffic is improperly protected, allowing an unauthenticated network attacker to fully compromise the system. Successful exploitation can lead to complete takeover, compromising confidentiality, integrity, and availability of the entire framework. The severity is reflected in a CVSS 3.1 base score of 9.8, with the vector indicating no authentication, no user interface, and full confidentiality and integrity impact.

Oracle Enterprise Command Center Framework, versions 15 and 16, supplied by Oracle Corporation. These versions are listed in the vendor’s product catalogue and are covered by the Oracle security alert for June 2026.

The risk is high: attackers need only network access to HTTPS to exploit the flaw, with a low effective difficulty (Access Complexity Low) and no defenses to prevent it (Privilege None, User Interaction None). The EPSS score of less than 1 % indicates that, as of this analysis, exploitation activity is expected to be very low, yet the vulnerability is listed as not present in the CISA KEV catalogue. Nonetheless, because the impact is catastrophic and the vector is simple, administrators should treat this as an imminent threat. No additional conditions or prerequisites are stated, so any system with the vulnerable versions exposed to the internet is at risk.