CVE-2019-2616

HIGH KEV NUCLEI

Oracle Fusion Middleware - Unauthenticated RCE

Title source: llm

Exploitation Summary

CVE-2019-2616 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 1 public exploit from researchers including Vahagn Vardanyan. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates an XXE (XML External Entity) vulnerability in Oracle Business Intelligence and XML Publisher. The PoC sends a maliciously crafted SOAP request to trigger the XXE, potentially allowing an attacker to read arbitrary files or perform SSRF.

Description

Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security). Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher). While the vulnerability is in BI Publisher (formerly XML Publisher), attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of BI Publisher (formerly XML Publisher) accessible data as well as unauthorized read access to a subset of BI Publisher (formerly XML Publisher) accessible data. CVSS 3.0 Base Score 7.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Exploits (1)

exploitdb WORKING POC VERIFIED

by Vahagn Vardanyan · textwebappswindows

https://www.exploit-db.com/exploits/46729

View Code ZIP pw:eip

This exploit demonstrates an XXE (XML External Entity) vulnerability in Oracle Business Intelligence and XML Publisher. The PoC sends a maliciously crafted SOAP request to trigger the XXE, potentially allowing an attacker to read arbitrary files or perform SSRF.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Oracle Business Intelligence and XML Publisher (11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0)

No auth needed

Prerequisites: Network access to the target server · Vulnerable version of Oracle Business Intelligence or XML Publisher

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Oracle Business Intelligence/XML Publisher - XML External Entity Injection

HIGHby pdteam

References (2)

Core 2

Core References

Patch, Vendor Advisory x_refsource_misc

http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-2616

Scores

CVSS v3 7.2

EPSS 0.9399

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact partial

Details

CISA KEV 2022-03-25

VulnCheck KEV 2022-03-25

InTheWild.io 2022-03-25

ENISA EUVD EUVD-2019-12256

Status published

Products (3)

oracle/business_intelligence_publisher 11.1.1.9.0

oracle/business_intelligence_publisher 12.2.1.3.0

oracle/business_intelligence_publisher 12.2.1.4.0

Published Apr 23, 2019

KEV Added Mar 25, 2022

Tracked Since Feb 18, 2026