PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-35268 Oracle Corporation CVE debrief

A critical vulnerability was discovered in Oracle Fusion Middleware's Identity Manager product, tracked as CVE-2026-35268. The vulnerability has a CVSS score of 9.9 and allows a low-privileged attacker with network access to compromise the Identity Manager. The vulnerability is located in the Core component of Identity Manager and can be exploited via T3 and IIOP protocols. Successful attacks can lead to a complete takeover of the Identity Manager, and potentially impact additional products due to the scope change. Organizations using Oracle Fusion Middleware's Identity Manager product, particularly versions 12.2.1.4.0 and 14.1.2.1.0, should prioritize patching this vulnerability.

Vendor
Oracle Corporation
Product
Identity Manager
CVSS
CRITICAL 9.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-18
Advisory published
2026-06-17
Advisory updated
2026-06-18

Who should care

Organizations using Oracle Fusion Middleware's Identity Manager product, particularly versions 12.2.1.4.0 and 14.1.2.1.0, should prioritize patching this vulnerability. The vulnerability has a CVSS score of 9.9 and allows a low-privileged attacker with network access to compromise the Identity Manager. Successful attacks can lead to a complete takeover of the Identity Manager, and potentially impact additional products due to the scope change.

Technical summary

The vulnerability is located in the Core component of Identity Manager and can be exploited via T3 and IIOP protocols. Successful attacks can lead to a complete takeover of the Identity Manager, and potentially impact additional products due to the scope change. The CVSS score is 9.9, indicating a critical severity. The vulnerability allows a low-privileged attacker with network access to compromise the Identity Manager. The affected versions are 12.2.1.4.0 and 14.1.2.1.0.

Defensive priority

High priority should be given to patching this vulnerability due to its critical severity and potential for significant impact.

Recommended defensive actions

  • Apply the patch provided by Oracle Corporation as soon as possible
  • Review and update network access controls to limit exposure
  • Monitor Identity Manager systems for suspicious activity
  • Consider implementing compensating controls if patching is not immediately feasible
  • Review relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-06-17T10:40:19.020Z and last modified on 2026-06-18T04:16:46.077Z. The NVD entry is currently Analyzed. This vulnerability affects Oracle Fusion Middleware's Identity Manager product, particularly versions 12.2.1.4.0 and 14.1.2.1.0. The vulnerability is located in the Core component and can be exploited via T3 and IIOP protocols. The CVSS score is 9.9, indicating a critical severity. The scope change may significantly impact additional products. Successful attacks can result in takeover of Identity Manager.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T10:40:19.020Z and has not been modified since then. The NVD entry is currently Analyzed.