Description
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Identity Manager. While the vulnerability is in Identity Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Core component of Oracle Identity Manager. The flaw allows a low‑privileged attacker who can reach the system over T3 or IIOP to take control of the service, leading to full compromise. An attacker can disclose confidential data, alter system configuration, and deny service to legitimate users, resulting in serious confidentiality, integrity, and availability impact.

Affected Systems

Oracle Corporation Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 are affected by this flaw.

Risk and Exploitability

The vulnerability carries a CVSS v3.1 base score of 9.9, indicating critical severity. The EPSS score is listed as <1%, which reflects a low probability of exploitation, though the risk remains high due to the attack surface exposed by T3 and IIOP. The flaw is not listed in CISA’s KEV catalog, but its scope change can impact additional Oracle Fusion Middleware products if the Identity Manager service becomes compromised.

Generated by OpenCVE AI on June 17, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle security patch for Identity Manager for affected versions (12.2.1.4.x or 14.1.2.1.x).
  • If an immediate patch is unavailable, harden network exposure by blocking T3 and IIOP traffic to the Identity Manager nodes from all untrusted networks.
  • Configure logging and monitoring for authentication failures or anomalous activity on the Identity Manager service and review logs regularly for evidence of exploitation attempts.

Generated by OpenCVE AI on June 17, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Identity Manager. While the vulnerability is in Identity Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle identity Manager
CPEs cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:identity_manager:14.1.2.1.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle identity Manager
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Oracle Identity Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T14:19:39.740Z

Reserved: 2026-04-01T20:03:40.835Z

Link: CVE-2026-35268

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:15:03Z

Weaknesses

No weakness.