CVE-2026-34275

Critical

Published: 21 April 2026

Published

21 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Vulnerability in the Oracle Advanced Inbound Telephony product of Oracle E-Business Suite (component: Setup and Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Inbound Telephony.…

Successful attacks of this vulnerability can result in takeover of Oracle Advanced Inbound Telephony. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of known vulnerabilities like CVE-2026-34275 through application of Oracle's Critical Patch Update, directly preventing exploitation.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Limits or prohibits unauthenticated actions on critical Setup and Administration functions, directly addressing the missing authentication (CWE-306) that enables takeover.

SC-7 Boundary Protection good match

prevent

Enforces boundary protection to restrict unauthenticated network access via HTTP to the vulnerable Oracle Advanced Inbound Telephony component.

Security SummaryAI

CVE-2026-34275 is a vulnerability in the Oracle Advanced Inbound Telephony product, which is part of Oracle E-Business Suite, specifically affecting the Setup and Administration component. Supported versions impacted by this issue range from 12.2.3 to 12.2.15. The vulnerability, linked to CWE-306, carries a CVSS 3.1 base score of 9.8 with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating critical severity due to high impacts on confidentiality, integrity, and availability.

An unauthenticated attacker with network access via HTTP can easily exploit this vulnerability to compromise Oracle Advanced Inbound Telephony. Successful attacks enable takeover of the affected component, allowing full control over its confidentiality, integrity, and availability.

Oracle's Critical Patch Update for April 2026 provides details on this vulnerability, including patches and mitigation guidance, available at https://www.oracle.com/security-alerts/cpuapr2026.html.

Details

CWE(s): CWE-306

Affected Products

oracle

advanced inbound telephony

12.2.3 — 12.2.15

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote exploitation via HTTP of a public-facing application component, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.oracle.com/security-alerts/cpuapr2026.html
Vendor Advisory · secalert_us@oracle.com