CVE-2021-35587

CRITICAL KEV NUCLEI

Oracle Fusion Middleware - OpenSSO Agent - Unauthenticated RCE

Title source: llm

Description

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (3)

inthewild SCANNER
poc
https://github.com/antx-code/cve-2021-35587
inthewild SCANNER
poc
https://github.com/zz-socmap/cve-2021-35587
metasploit WORKING POC EXCELLENT
by Jang, Peterjson, Y4er, sfewer-r7 · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/oracle_access_manager_rce_cve_2021_35587.rb

Nuclei Templates (1)

Oracle Access Manager - Remote Code Execution
CRITICALVERIFIEDby cckuailong
Shodan: http.title:"Oracle Access Management" || http.title:"oracle access management" || http.html:"/oam/pages/css/login_page.css"
FOFA: body="/oam/pages/css/login_page.css" || title="oracle access management"

References (2)

Scores

CVSS v3 9.8
EPSS 0.9423
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2022-11-28
VulnCheck KEV 2022-11-28
InTheWild.io 2022-11-28
ENISA EUVD EUVD-2021-22223
CWE
CWE-306
Status published
Products (3)
oracle/access_manager 11.1.2.3.0
oracle/access_manager 12.2.1.3.0
oracle/access_manager 12.2.1.4.0
Published Jan 19, 2022
KEV Added Nov 28, 2022
Tracked Since Feb 18, 2026