CVE-2026-46978 - Vulnerability Details

Description

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Remote Administration Daemon). The supported version that is affected is 11.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data as well as unauthorized access to critical data or complete access to all Oracle Solaris accessible data. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

Published: 2026-06-16

Score: 10 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Remote Administration Daemon component of Oracle Solaris 11.4. An unauthenticated attacker who can send HTTPS requests to the daemon can exploit the flaw to compromise the system, enabling unauthorized creation, deletion, or modification of critical data and full access to all data accessible by the Solaris instance. The flaw effectively provides remote code execution or privilege escalation that changes scope, resulting in complete confidentiality and integrity compromise while availability is not directly affected.

Affected Systems

Only Oracle Solaris 11.4 is affected, specifically the Remote Administration Daemon component. No other versions or products were identified as vulnerable according to the current advisory.

Risk and Exploitability

The CVSS base score of 10.0 indicates maximum severity, with Confidentiality and Integrity both at high impact and a scope change. The EPSS score is listed as < 1%, suggesting current exploit likelihood is low, and the vulnerability is not yet listed in CISA KEV. Nevertheless, the high severity and potential for full system compromise mean that immediate action is recommended. The attack vector is an unauthenticated HTTPS connection to the vulnerable service, implying that an attacker must be able to reach the RDA port over the network.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Solaris

affected

Version	Status	Constraints
`11.4`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Solaris

95%

Version	Status	Scheme	Platform
`11.4`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Oracle Solaris 11.4 security patch that addresses the Remote Administration Daemon vulnerability as detailed in Oracle’s security alert.
Disable the Remote Administration Daemon service if it is not required, or restrict its availability to trusted hosts via firewall rules.
Monitor network traffic on the RDA port for anomalous HTTPS connections and log authentication attempts to detect potential exploitation attempts.

Generated by OpenCVE AI on June 17, 2026 at 18:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00398.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Solaris product of Oracle Systems (component: Remote Administration Daemon). The supported version that is affected is 11.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data as well as unauthorized access to critical data or complete access to all Oracle Solaris accessible data. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).
First Time appeared		Oracle Oracle solaris
CPEs		cpe:2.3:a:oracle:solaris:11.4:::::::*
Vendors & Products		Oracle Oracle solaris
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}`

Subscriptions

Oracle Solaris

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:28:08.193Z

Updated: 2026-06-17T17:10:13.494Z

Reserved: 2026-05-18T15:55:10.314Z

Link: CVE-2026-46978

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-17T04:00:02Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object