Description
Vulnerability in the Oracle Virtual Directory product of Oracle Fusion Middleware (component: Virtual Directory Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via LDAP to compromise Oracle Virtual Directory. Successful attacks of this vulnerability can result in takeover of Oracle Virtual Directory. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unrestricted LDAP access permits an unauthenticated attacker to compromise the Oracle Virtual Directory server, resulting in complete loss of confidentiality, integrity, and availability. The vulnerability enables the attacker to fully take over the service, executing arbitrary commands or manipulating directory information as described in the official advisory.

Affected Systems

Oracle Virtual Directory products from Oracle Corporation, specifically versions 12.2.1.4.0 and 14.1.2.0.0, are affected by this flaw as stated in the vendor‑issued security alert.

Risk and Exploitability

The flaw carries a CVSS 3.1 base score of 9.8, evidencing a high‑severity threat. The EPSS score is below 1 %, indicating that current exploitation instances are rare, but the vulnerability is not listed in CISA KEV. Attackers can reach the system over the network using LDAP, so public‑facing or inadequately secured LDAP endpoints present the most probable entry point. Given the impact and the difficulty of the exploit, the risk is regarded as critical for exposed deployments.

Generated by OpenCVE AI on June 17, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Oracle’s latest security patch or upgrade to a version that includes the fix for Virtual Directory
  • Restrict LDAP traffic using firewall or ACLs so that only trusted IP addresses can reach the LDAP service
  • Enforce logging and continuous monitoring of LDAP authentication attempts to detect unauthorized activity
  • If a patch is unavailable, consider disabling the LDAP interface on untrusted networks to block attackers

Generated by OpenCVE AI on June 17, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Virtual Directory product of Oracle Fusion Middleware (component: Virtual Directory Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via LDAP to compromise Oracle Virtual Directory. Successful attacks of this vulnerability can result in takeover of Oracle Virtual Directory. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle virtual Directory
CPEs cpe:2.3:a:oracle:virtual_directory:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:virtual_directory:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle virtual Directory
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Virtual Directory
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:37:52.896Z

Reserved: 2026-04-01T20:03:40.837Z

Link: CVE-2026-35312

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:00:12Z

Weaknesses

No weakness.