CVE-2021-35587

CRITICAL KEV NUCLEI

Oracle Fusion Middleware - OpenSSO Agent - Unauthenticated RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-35587 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 28, 2022. EIP tracks 3 public exploits from researchers including Jang, Peterjson, Y4er, sfewer-r7, including a Metasploit module exploits/multi/http/oracle_access_manager_rce_cve_2021_35587. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a scanner for CVE-2021-35587, which checks for the presence of specific headers and content in the response from the Oracle Access Manager endpoint. It does not include exploit code but verifies vulnerability indicators.

Description

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (3)

inthewild SCANNER
poc
https://github.com/antx-code/cve-2021-35587

The repository contains a scanner for CVE-2021-35587, which checks for the presence of specific headers and content in the response from the Oracle Access Manager endpoint. It does not include exploit code but verifies vulnerability indicators.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Oracle Access Manager
No auth needed
Prerequisites: Network access to the target Oracle Access Manager instance
devstral-2 · analyzed Feb 23, 2026 Full analysis →
inthewild SCANNER
poc
https://github.com/zz-socmap/cve-2021-35587

This script checks for the presence of Oracle Access Manager's vulnerable endpoint and specific headers/text to identify potential vulnerability to CVE-2021-35587. It does not exploit the vulnerability but scans for indicators of exposure.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Oracle Access Manager (OAM)
No auth needed
Prerequisites: Network access to the target Oracle Access Manager instance
devstral-2 · analyzed Feb 23, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Jang, Peterjson, Y4er, sfewer-r7 · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/oracle_access_manager_rce_cve_2021_35587.rb

This Metasploit module exploits an unauthenticated deserialization vulnerability (CVE-2021-35587) in Oracle Access Manager (OAM) versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0. It leverages a gadget chain to achieve remote code execution by sending a malicious serialized payload to the `/oam/server/opensso/sessionservice` endpoint.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle Access Manager (OAM) 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0
No auth needed
Prerequisites: Network access to the target OAM server · Vulnerable version of Oracle Access Manager
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Oracle Access Manager - Remote Code Execution
CRITICALVERIFIEDby cckuailong
Shodan: http.title:"Oracle Access Management" || http.title:"oracle access management" || http.html:"/oam/pages/css/login_page.css"
FOFA: body="/oam/pages/css/login_page.css" || title="oracle access management"

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.9427
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-11-28
VulnCheck KEV 2022-11-28
InTheWild.io 2022-11-28
ENISA EUVD EUVD-2021-22223
CWE
CWE-306
Status published
Products (3)
oracle/access_manager 11.1.2.3.0
oracle/access_manager 12.2.1.3.0
oracle/access_manager 12.2.1.4.0
Published Jan 19, 2022
KEV Added Nov 28, 2022
Tracked Since Feb 18, 2026