Description
Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Oracle iSupport is vulnerable to a flaw that allows an attacker with high privileges to gain full control over the service via an HTTP request. The flaw can be used to compromise confidentiality, integrity, and availability, effectively permitting a takeover, and corresponds to a remote code execution or privilege‑escalation vulnerability.

Affected Systems

This issue affects Oracle Corporation’s Oracle iSupport component of Oracle E‑Business Suite for versions 12.2.3 through 12.2.15. The vulnerability is present in the Internal Operations component and may extend to other Oracle products because of a scope change, so any environment running these versions of iSupport is at risk.

Risk and Exploitability

With a CVSS 3.1 base score of 9.1 the vulnerability is critical. The EPSS score indicates exploitation is currently rare (<1%) and it is not listed in the CISA KEV catalog, yet the high severity and scope change imply that a successful attack could have widespread impact. An attacker requires network access over HTTP and must already possess high privileges relative to the target, but the flaw permits full compromise of the iSupport service. The lack of user interaction (UI:N) means an automated exploit could be deployed remotely.

Generated by OpenCVE AI on June 17, 2026 at 18:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle iSupport patch for versions 12.2.3–12.2.15
  • Restrict inbound HTTP traffic to the iSupport service using firewalls or network ACLs to approved IP ranges or VPN connections only
  • Until a formal patch is applied, isolate the iSupport instance from external networks or block it entirely to prevent exploitation

Generated by OpenCVE AI on June 17, 2026 at 18:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle isupport
CPEs cpe:2.3:a:oracle:isupport:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle isupport
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Oracle Isupport
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T19:26:03.680Z

Reserved: 2026-05-18T15:55:10.313Z

Link: CVE-2026-46945

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T03:00:16Z

Weaknesses

No weakness.