CVE-2022-39428
Published: 18 October 2022
Summary
CVE-2022-39428 is a critical-severity an unspecified weakness vulnerability in Oracle Web Applications Desktop Integrator. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-39428 is a vulnerability in the Upload component of Oracle Web Applications Desktop Integrator within Oracle E-Business Suite versions 12.2.3 through 12.2.11. It carries a CVSS 3.1 base score of 9.8 with full impacts to confidentiality, integrity, and availability, stemming from an unauthenticated network vector over HTTP.
An unauthenticated attacker with network access can exploit the flaw to achieve complete takeover of the Oracle Web Applications Desktop Integrator component. The attack requires no user interaction or credentials and is rated as easily exploitable.
The referenced Oracle Critical Patch Update for October 2022 provides official remediation guidance and patches for affected E-Business Suite releases.
EPSS for this CVE rose from lower values to a peak of 0.2224 on 2025-12-11 before receding to the current 0.0754, indicating a clear post-disclosure increase in exploitation interest that warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-41873
Vulnerability details
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator.…
more
Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.