This vulnerability resides in the Order Promising Integration component of Oracle JD Edwards EnterpriseOne. An attacker with only low‑privilege credentials and network connectivity over HTTP can exploit the flaw to take full control of the Order Promising application. The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H demonstrates that confidentiality, integrity and availability are all compromised, effectively allowing an attacker to execute arbitrary code, modify data, and disrupt service. The scope change indicates that privileges gained may extend beyond the targeted component to other parts of the JD Edwards system.

The affected product is JD Edwards EnterpriseOne Order Promising, version 9.2. This applies to installations of the Order Promising Integration component in the 9.2 release line.

The CVSS base score of 9.9 classifies this flaw as Critical. The EPSS score of less than 1% indicates that widespread automated exploitation is unlikely but the presence of a network‑accessible entry point makes targeted attacks feasible. Because the flaw is not listed in the CISA KEV catalog, no active exploits are publicly known, yet the high impact and low effort to exploit warrant immediate attention. The likely attack path is a low‑privilege attacker sending crafted HTTP requests to the vulnerable component and achieving remote code execution.