Impact
Oracle Identity Manager contains a flaw in its OIM Legacy UI component that allows an unauthenticated attacker to send specially crafted requests over the T3 or IIOP protocols, bypassing authentication and enabling complete compromise of the Identity Manager instance. The vulnerability results in loss of confidentiality, integrity, and availability, and represents an improper access control weakness (CWE‑306).
Affected Systems
The affected product is Oracle Corp’s Identity Manager, specifically versions 12.2.1.4.0 and 14.1.2.1.0. The bug resides in the OIM Legacy UI component of Oracle Fusion Middleware; no other vendors or products are listed in the CVE record.
Risk and Exploitability
With a CVSS v3.1 base score of 9.8, the flaw poses a high severity risk across all CIA categories. The EPSS score is less than 1%, indicating that while exploitation is straightforward, the likelihood of a real‑world attack remains low at present. Authentication is not required, so an attacker can hijack the Identity Manager over the network via T3 or IIOP and assume complete administrative control.
OpenCVE Enrichment