Vulnerability in the JD Edwards EnterpriseOne Project Costing product of Orac…

Research page generated from configured evidence sources. Treat this as an analyst workbench: facts are sourced, gaps are labelled, and low-confidence chatter is separated from confirmed evidence.

Executive judgement

• Operational lane: monitor
• Priority score: 30
• Confidence: high
• Exploit status: none — No public exploitation signal captured by the configured pipeline yet.
• Urgent publishable: no
• CISA KEV: No CISA KEV match captured in configured source data at generation time.
• Published/observed: 2026-06-17
• EPSS score: not available

What happened

Vulnerability in the JD Edwards EnterpriseOne Project Costing product of Oracle JD Edwards (component: Job Costing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Project Costing. While the vulnerability is in JD Edwards EnterpriseOne Project Costing, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Project Costing accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Project Costing accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).

Why it matters

• The item was promoted because the pipeline observed: priority score 30, exploit status none, confidence high.
• It has a CVE identifier, so it can be tracked across NVD/CVE.org/vendor/exploit sources.
• No PoC signal was detected by the current pipeline unless shown elsewhere on this page.

Evidence collected

• NVD: nvd

Exploitation and PoC status

• Current automated assessment: No public exploitation signal captured by the configured pipeline yet.
• Public exploit/PoC: No PoC source captured yet by the configured pipeline.
• Exploited in the wild: Not confirmed by configured sources at generation time.
• Ransomware association: No ransomware association captured at generation time.

Publication / validation flags

• no_exploitation_signal

Dark web / low-confidence chatter

• AlienVault OTX pulse: Potemkin Loader & RMMProject The Anatomy of a ClickFix Attack

Defender actions

• Apply Oracle JD Edwards EnterpriseOne Project Costing Bundle Patch or Security Patch for version 9.2, addressing CVE-2026-46911.
• Restrict network access to the JDENET port (default 6014-6024) used by the JDE Enterprise Server to only trusted application and web servers.
• Audit and minimize user roles with ’low privileged’ access (e.g., ‘ALLOW*’ security) to the Job Costing (P09C002) application within JDE.

Defender / Sentinel hunting queries

MDE exposure: devices with CVE-2026-46911

Find devices where Microsoft Defender Vulnerability Management reports the CVE.

DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2026-46911"
| project DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, LastSeenTime
| order by VulnerabilitySeverityLevel desc, LastSeenTime desc

Exposure validation ideas

• Search asset inventory for affected vendor/product names and any CVE reference.
• Check internet-facing exposure through approved tools only: Shodan/Censys/GreyNoise links below are research starting points, not proof of exposure.
• Prioritise management interfaces, edge devices, identity/control-plane systems, and OT/ICS assets where relevant.

Detection / hunting ideas

• Review vendor logs for authentication failures, privilege changes, unexpected admin activity, and anomalous management-plane access.
• Search SIEM/EDR telemetry for product-specific process names, network services, and newly published indicators from primary sources.
• Monitor for scanner traffic or nuclei/metasploit module references once public exploit tooling appears.

Research links

• NVD
• CVE.org
• CISA KEV search
• GitHub code/advisory search
• GitHub repository search
• Exploit-DB search
• Packet Storm search
• AlienVault OTX search
• GreyNoise search
• Shodan search
• Censys search

Open questions

• Is there a primary vendor advisory with exact affected versions and fixed versions?
• Has CISA KEV, Shadowserver, GreyNoise, or a trusted vendor confirmed exploitation?
• Are there credible PoC repositories or only secondary reporting mentioning PoC?
• Is there underground/forum/leak-site discussion, or only public reporting?

Generated: 2026-06-17T15:39:20+00:00