The flaw lies in the Enterprise Infrastructure Security component of Oracle JD Edwards EnterpriseOne Tools, permitting an unauthenticated attacker with network access over HTTP to exploit a vulnerability that grants full control over the toolset environment. Exploitation can lead to the compromise of confidentiality, integrity, and availability, effectively allowing the attacker to take over the JD Edwards tools and potentially access or manipulate underlying business data. The CVSS vector clarifies that the component is considered universal, with no requirement for user interaction, making the impact severe and the attack surface wide.

Oracle Corporation’s JD Edwards EnterpriseOne Tools, especially versions 9.2.0.0 through 9.2.26.2, are affected. Any deployment of these releases that remains exposed to external HTTP traffic is susceptible to the described exploit. No other product variants or subcomponents are listed as affected in the advisory.

The CVSS score of 9.8 underlines a critical level of risk, and the EPSS estimate of less than 1% indicates a low yet non‑zero likelihood of exploitation in the wild. The vulnerability is not part of CISA’s KEV catalog, suggesting that it has not yet been observed in known supply‑chain attacks. Attackers can trigger the flaw remotely and without authentication by sending crafted HTTP requests to the JD Edwards Toolset, implying that the likelihood of exploitation depends largely on exposure of the service to the network rather than on privilege or user interaction.