Cyber Resilience

CVE-2022-39428

Critical

Published: 18 October 2022

Published
18 October 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0754 92.0th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-39428 is a critical-severity an unspecified weakness vulnerability in Oracle Web Applications Desktop Integrator. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-39428 is a vulnerability in the Upload component of Oracle Web Applications Desktop Integrator within Oracle E-Business Suite versions 12.2.3 through 12.2.11. It carries a CVSS 3.1 base score of 9.8 with full impacts to confidentiality, integrity, and availability, stemming from an unauthenticated network vector over HTTP.

An unauthenticated attacker with network access can exploit the flaw to achieve complete takeover of the Oracle Web Applications Desktop Integrator component. The attack requires no user interaction or credentials and is rated as easily exploitable.

The referenced Oracle Critical Patch Update for October 2022 provides official remediation guidance and patches for affected E-Business Suite releases.

EPSS for this CVE rose from lower values to a peak of 0.2224 on 2025-12-11 before receding to the current 0.0754, indicating a clear post-disclosure increase in exploitation interest that warrants renewed attention.

EU & UK References

Vulnerability details

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator.…

more

Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
web applications desktop integrator
12.2.3 — 12.2.11

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References