Impact
The vulnerability resides in the Siebel Cloud Manager component of Oracle Siebel CRM Cloud Applications. An unauthenticated attacker with network access via HTTP can exploit this flaw to gain full control, compromising confidentiality, integrity, and availability. The weakness is a combination of authentication bypass (CWE‑287), improper access control enforcement (CWE‑284), and missing authorization checks (CWE‑306), allowing arbitrary code execution on the host.
Affected Systems
Oracle Siebel CRM Cloud Applications, versions 17.0 through 26.5, are affected.
Risk and Exploitability
The CVSS base score of 9.8 classifies this as a critical vulnerability, though the EPSS score of less than 1% indicates a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog. Attackers would likely target the exposed HTTP endpoint of Siebel Cloud Manager, which provides no authentication and therefore permits the vulnerable operation to be performed from any network location.
OpenCVE Enrichment