Description
Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Oracle iSupport, part of Oracle E‑Business Suite, contains a vulnerability that permits a high‑privileged attacker with network access over HTTP to compromise the service. The flaw allows takeover of the entire iSupport instance and may extend impact beyond iSupport to other products in the same stack. The weakness involves an authorization bypass, as indicated by CWE‑284, allowing attackers to gain unauthorized access over HTTP.

Affected Systems

Oracle iSupport versions 12.2.3 through 12.2.15 are affected. These versions are publicly supported and remain vulnerable until patched or upgraded.

Risk and Exploitability

The CVSS 3.1 base score of 9.1 indicates a critical vulnerability, with significant confidentiality, integrity, and availability impacts. The EPSS score of <1% suggests that exploitation is currently unlikely, but the risk remains high if an attacker gains the required credentials and network access via HTTP. The flaw can affect additional Oracle applications through a scope change, as indicated in the description. The vulnerability is not yet listed in the CISA KEV catalog. Attackers would need high privileges and access to the iSupport HTTP interface to exploit the flaw, after they could potentially take over the entire service.

Generated by OpenCVE AI on June 18, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Oracle iSupport patch or upgrade to a version that includes the fix for this vulnerability.
  • Configure network firewalls or VPNs to restrict HTTP access to the iSupport server to trusted administrators only.
  • Enable detailed logging on the iSupport service and routinely review logs for unauthorized access attempts or anomalous activity.

Generated by OpenCVE AI on June 18, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title Oracle iSupport Authorization Bypass via HTTP Leading to System Takeover

Thu, 18 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title High Privileged Remote Exploit in Oracle iSupport Leading to Complete Takeover
Weaknesses CWE-287

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title High Privileged Remote Exploit in Oracle iSupport Leading to Complete Takeover
Weaknesses CWE-287

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle isupport
CPEs cpe:2.3:a:oracle:isupport:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle isupport
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T13:51:46.155Z

Reserved: 2026-05-18T15:55:10.313Z

Link: CVE-2026-46944

cve-icon Vulnrichment

Updated: 2026-06-18T13:50:38.040Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:45:04Z

Weaknesses