Threats / Oracle / CVE-2022-21587
CVE-2022-21587
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Oracle E-Business Suite vulnerability
Oracle E-Business Suite contains an unspecified vulnerability allowing unauthenticated network attackers to compromise Web Applications Desktop Integrator via HTTP.
Verdict
Today item, not a backlog item.
Active exploitation in ransomware campaigns. Missing authentication control (CWE-306) enables direct network access to critical business application integration layer without credentials, presenting severe operational risk.
CISA KEV Yes · 2023-02-023Ransomware use Flagged3EPSS 0.98342 (verify live)4Exploit Weaponized · public PoC5
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Fully weaponized — public exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
587 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2023-02-02), flagged for known ransomware use.
Probability (EPSS)
EPSS 0.98342 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Oracle, E-Business Suite. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-306 Missing Authentication — weakness family: Authentication.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I craft an HTTP request to the unauthenticated E-Business Suite endpoint without providing credentials.
Business
Attackers bypass authentication entirely, gaining direct access to application integration functions.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I exploit the missing access control to interact with Web Applications Desktop Integrator components.
Business
Critical business data flows through integrator become exposed to unauthorized manipulation and exfiltration.
3
Lateral reach — past segmentation narrative 3
Attacker
I establish persistence or lateral movement within the E-Business Suite environment.
Business
Ransomware operators gain foothold to encrypt financial, supply chain, and operational data systems.
4
Data at risk — exfiltration narrative 4
Attacker
I deploy encryption payloads across integrated business processes and databases.
Business
Enterprise operations halt; financial records, orders, and compliance data become inaccessible.
5
Lights out — disruption & extortion narrative 5
Attacker
I demand ransom for decryption keys while threatening data sale.
Business
Organization faces extortion, regulatory penalties, customer notification costs, and reputational damage.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05