Oracle E-Biz unauth takeover (CVE-2026-34275)

Patch now - CVE-2026-34275 is a critical unauthenticated remote takeover in Oracle Advanced Inbound Telephony (E-Business Suite 12.2.3-12.2.15) that grants an attacker full control of the component via a single HTTP request. Oracle’s July 2026 CPU contains the fix.

Overview

CVE-2026-34275 is a critical unauthenticated remote takeover vulnerability in Oracle Advanced Inbound Telephony, part of Oracle E-Business Suite. Affecting versions 12.2.3 through 12.2.15, this flaw allows an attacker with network access via HTTP to fully compromise the component without any credentials or user interaction. The vulnerability carries a CVSS 3.1 base score of 9.8 (Critical), with impacts to confidentiality, integrity, and availability all rated as High.

Technical Details

The vulnerability resides in the Setup and Administration component of Oracle Advanced Inbound Telephony. The attack vector is network-based, with low complexity and no privileges required. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests to the affected service. Successful exploitation results in complete takeover of the Oracle Advanced Inbound Telephony system, meaning the attacker gains full control over the component’s data, operations, and availability.

The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates:

• No authentication needed
• No user interaction required
• Full compromise of confidentiality, integrity, and availability

Affected Systems

• Oracle E-Business Suite versions 12.2.3 through 12.2.15
• Oracle Advanced Inbound Telephony component (Setup and Administration)

Organizations running these versions should treat this as a critical priority. While CISA has not confirmed active exploitation at the time of writing, the combination of network accessibility, no authentication, and full takeover potential makes this an attractive target for threat actors.

Remediation

Oracle has addressed this vulnerability in the July 2026 Critical Patch Update (CPU). The fix applies to Oracle Advanced Inbound Telephony within E-Business Suite releases 12.2.3-12.2.15.

Immediate actions:

1. Apply the July 2026 CPU patches to all affected Oracle E-Business Suite instances.
2. If patching is delayed, restrict network access to the Oracle Advanced Inbound Telephony service to trusted IP ranges only.
3. Monitor system logs for unexpected HTTP requests to the Setup and Administration endpoints.
4. Review any recent changes or anomalies in the affected component.

Organizations without a change window should implement temporary network-level access controls (firewall rules, VPN requirements) until patches can be deployed.

References

• Oracle Critical Patch Update July 2026
• CVSS v3.1 Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

For related data breach information, see our breach reports. For general cybersecurity news and analysis, visit security news.

Security Insight

This vulnerability highlights a recurring pattern in enterprise software: critical flaws in secondary or specialized components that attackers can reach without authentication. Oracle E-Business Suite has a history of such vulnerabilities in its telephony and CRM modules, often allowing full takeover with a single HTTP request. Organizations running complex ERP systems should prioritize a defense-in-depth strategy that includes network segmentation and regular patch cycles, not just for the core application but for every integrated component.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs