NCSC-2026-0201 [1.00] [M/H] Vulnerabilities fixed in Oracle E-Business Suite products
Oracle has fixed vulnerabilities in various Oracle E-Business Suite products, including Oracle Enterprise Command Center Framework, iSupplier Portal, Complex Maintenance, Repair and Overhaul, Process Manufacturing Product Development, HR Intelligence, Receivables, Spares Management, Cost Management, Enterprise Asset Management, Applications Manager, iSupport, Advanced Outbound Telephony, Quality, HRMS (UK), Human Resources, Property Manager, Subledger Accounting, Project Portfolio Analysis, Universal Work Queue, Public Sector Financials (International), Financials for EMEA, Outsourced Manufacturing, and Public Sector Payroll. The vulnerabilities allow an attacker with network access and often low to high privileges to perform unauthorized actions, including gaining full control over the system, creating, modifying, or deleting critical data, and causing partial or complete denial-of-service. Some vulnerabilities require user interaction, while others can be exploited without authentication. The vulnerabilities affect the confidentiality, integrity, and availability of the systems. The CVSS 3.1 base scores range from 7.1 to 9.9, with multiple vulnerabilities scoring 8.8 or higher. The vulnerabilities are present in various versions, primarily between 12.2.3 and 12.2.15, and in some cases also in versions 15 and 16 of the Enterprise Command Center Framework. Exploitation can lead to complete system compromise and may also impact other Oracle products that depend on the vulnerable components.
CSIRTS triage
- What
- Vulnerabilities allow unauthorized actions that can lead to data manipulation and system compromise.
- Who is affected
- Deployments of various Oracle E-Business Suite products.
- Urgency
- Remediation is necessary due to the potential for significant data loss and system integrity issues.
- Action
- Apply the latest security updates for Oracle E-Business Suite products.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Oracle E-Business Suite
Get an email when a new Oracle E-Business Suite advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://advisories.ncsc.nl/advisory?id=NCSC-2026-0201
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-469490.40% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 33% of all scored CVEs.
- Low exploitation riskCVE-2026-469500.40% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 32% of all scored CVEs.
- Low exploitation riskCVE-2026-469510.40% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 32% of all scored CVEs.
- Low exploitation riskCVE-2026-469520.40% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 32% of all scored CVEs.
- Low exploitation riskCVE-2026-469530.34% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 26% of all scored CVEs.
- Low exploitation riskCVE-2026-469550.16% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 5% of all scored CVEs.
- Low exploitation riskCVE-2026-469560.45% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 36% of all scored CVEs.
- Low exploitation riskCVE-2026-469570.31% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 23% of all scored CVEs.
- Low exploitation riskCVE-2026-469580.25% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 16% of all scored CVEs.
- Low exploitation riskCVE-2026-469590.25% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 16% of all scored CVEs.
Referenced CVEs
+7 more CVEs referenced in this advisory.
Recent advisories for Oracle E-Business Suite
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- criticalexploitedCVE-2025-61884: Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerabilitycisa-kev · 2025-10-20
- criticalexploitedCVE-2025-61882: Oracle E-Business Suite Unspecified Vulnerabilitycisa-kev · 2025-10-06
- criticalexploitedCVE-2022-21587: Oracle E-Business Suite Unspecified Vulnerabilitycisa-kev · 2023-02-02
More from NCSC-NL Advisories
- unknownNCSC-2026-0223 [1.00] [M/H] Vulnerabilities fixed in BeyondTrust Remote Support and Privileged Remote Access2026-07-10
- unknownNCSC-2026-0222 [1.00] [M/H] Vulnerabilities fixed in GitLab Enterprise Edition and Community Edition2026-07-10
- unknownNCSC-2026-0221 [1.00] [M/H] Vulnerabilities fixed in UniFi products from Ubiquiti Networks2026-07-07
- unknownNCSC-2026-0220 [1.00] [M/H] Vulnerabilities fixed in Rancher by Rancher Labs2026-07-03
- unknownNCSC-2026-0219 [1.00] [M/H] Vulnerabilities fixed in GitHub Enterprise Server2026-07-03