Oracle Enterprise Manager Grid Control
Oracle Enterprise Manager Grid Control is Oracle's centralized platform for monitoring databases, middleware, and infrastructure. It is deployed in Oracle-heavy environments and runs with broad access to managed systems. NVD tracks it as oracle:enterprise_manager_grid_control with CVE history concentrated in authenticated remote code execution and privilege escalation in management console components. Oracle ships fixes via quarterly Critical Patch Updates (CPU).
Querying Oracle Enterprise Manager Grid Control
oracle_enterprise_manager_grid_control13.5.0.0, 12.1.0.0curl "https://api.attestd.io/v1/check?product=oracle_enterprise_manager_grid_control&version=12.1.0.0" \
-H "Authorization: Bearer $ATTESTD_KEY"Oracle Enterprise Manager Grid Control 12.1.0.0 is affected by CVE-2014-6557, an authenticated RCE vulnerability in the management console. The response shows risk_state: "elevated" because authentication is required to exploit the issue, reducing the immediate attack surface.
{
"product": "oracle_enterprise_manager_grid_control",
"version": "12.1.0.0",
"supported": true,
"risk_state": "elevated",
"risk_factors": [
"remote_code_execution",
"patch_available"
],
"actively_exploited": false,
"remote_exploitable": true,
"authentication_required": true,
"patch_available": true,
"fixed_version": "12.1.0.6.2",
"confidence": 0.85,
"cve_ids": ["CVE-2014-6557"],
"last_updated": "2026-06-14T17:03:32Z",
"supply_chain": null
}Oracle Enterprise Manager Grid Control 13.5.0.0 is the current release and has no known unpatched CVEs in the NVD range as of the last synthesis run.
curl "https://api.attestd.io/v1/check?product=oracle_enterprise_manager_grid_control&version=13.5.0.0" \
-H "Authorization: Bearer $ATTESTD_KEY"CVE history
Oracle Enterprise Manager CVEs are reported via Oracle CPU advisories and cover a broad range of bundled components including Oracle Application Framework, BI Publisher, and third-party libraries. Most require authentication; unauthenticated CVEs are rare.
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2014-6557 | Authenticated remote code execution in the Oracle Enterprise Manager Grid Control management console via a crafted request to the Application Framework component. | 12.1.0.0 | 6.5 |
CVE-2016-5510 | Unauthenticated remote code execution in the Enterprise Manager Base Platform via a vulnerability in the Repository component. Allows full system compromise over the network. | 12.1.0.5, 13.1.0.0 | 9.8 |
CVE-2017-10068 | Authenticated remote code execution in Oracle Enterprise Manager via the Application Framework component. Allows an attacker with low-privilege credentials to execute arbitrary code. | 12.1.0.4, 13.1.0.0 | 8.8 |
CVE-2019-2725 | Unauthenticated remote code execution via the Oracle WebLogic Server component bundled in Enterprise Manager. Exploitable through the WLS9_ASYNC and WLS-WSAT endpoints. | 13.2.0.0, 13.3.0.0 | 9.8 |
CVE-2020-14750 | Unauthenticated remote code execution via the Console component in Oracle WebLogic Server, affecting Enterprise Manager deployments that include the WebLogic management interface. | 13.3.0.0, 13.4.0.0 | 9.8 |
KEV = CISA Known Exploited Vulnerabilities catalog. Active exploitation confirmed.
Oracle CPU namespace
NVD tracks Oracle Enterprise Manager Grid Control under a dedicated product namespace. Version strings use four-part notation matching Oracle's release numbering scheme (e.g. 13.5.0.0):
cpe:2.3:a:oracle:enterprise_manager_grid_control12.x and 13.x seriesSome CVEs affecting bundled WebLogic, BI Publisher, or Application Framework components are also tracked under separate Oracle product namespaces. Attestd uses the Grid Control namespace for version range matching.