An unauthenticated attacker able to connect to the LDAP service of Oracle Unified Directory can fully compromise the directory database, gaining control of credentials, configuration, and management functions. The flaw allows the attacker to read and modify all confidential data, tamper with system integrity, and disrupt service availability, resulting in a total loss of confidentiality, integrity, and availability as reflected by the CVSS 3.1 Base Score of 9.8. The vulnerability is caused by improper authentication handling within the LDAP component, enabling an attacker to perform privileged actions without credentials.

Oracle Unified Directory 12.2.1.4.0 and 14.1.2.1.0 are affected. These versions are part of Oracle Fusion Middleware and provide directory services accessed over the network via LDAP. Any deployment of the specified products that is exposed to external or untrusted networks is at risk.

The CVSS score of 9.8 indicates a critical risk, and the EPSS score of less than 1% suggests that, although the flaw is easily exploitable, it is presently unlikely to be widely used in the wild. The vulnerability is accessible over the standard LDAP ports without authentication, so a network attacker with visibility of those ports can freely exploit the issue. Because the flaw is not listed in the CISA KEV catalog, no widespread exploit campaigns have been confirmed, but the potential damage warrants immediate action.