PatchSiren cyber security CVE debrief
CVE-2026-35268 Oracle Corporation CVE debrief
A critical vulnerability was discovered in Oracle Fusion Middleware's Identity Manager product, tracked as CVE-2026-35268. The vulnerability has a CVSS score of 9.9 and allows a low-privileged attacker with network access to compromise the Identity Manager. The vulnerability is located in the Core component of Identity Manager and can be exploited via T3 and IIOP protocols. Successful attacks can lead to a complete takeover of the Identity Manager, and potentially impact additional products due to the scope change. Organizations using Oracle Fusion Middleware's Identity Manager product, particularly versions 12.2.1.4.0 and 14.1.2.1.0, should prioritize patching this vulnerability.
- Vendor
- Oracle Corporation
- Product
- Identity Manager
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-18
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-18
Who should care
Organizations using Oracle Fusion Middleware's Identity Manager product, particularly versions 12.2.1.4.0 and 14.1.2.1.0, should prioritize patching this vulnerability. The vulnerability has a CVSS score of 9.9 and allows a low-privileged attacker with network access to compromise the Identity Manager. Successful attacks can lead to a complete takeover of the Identity Manager, and potentially impact additional products due to the scope change.
Technical summary
The vulnerability is located in the Core component of Identity Manager and can be exploited via T3 and IIOP protocols. Successful attacks can lead to a complete takeover of the Identity Manager, and potentially impact additional products due to the scope change. The CVSS score is 9.9, indicating a critical severity. The vulnerability allows a low-privileged attacker with network access to compromise the Identity Manager. The affected versions are 12.2.1.4.0 and 14.1.2.1.0.
Defensive priority
High priority should be given to patching this vulnerability due to its critical severity and potential for significant impact.
Recommended defensive actions
- Apply the patch provided by Oracle Corporation as soon as possible
- Review and update network access controls to limit exposure
- Monitor Identity Manager systems for suspicious activity
- Consider implementing compensating controls if patching is not immediately feasible
- Review relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-06-17T10:40:19.020Z and last modified on 2026-06-18T04:16:46.077Z. The NVD entry is currently Analyzed. This vulnerability affects Oracle Fusion Middleware's Identity Manager product, particularly versions 12.2.1.4.0 and 14.1.2.1.0. The vulnerability is located in the Core component and can be exploited via T3 and IIOP protocols. The CVSS score is 9.9, indicating a critical severity. The scope change may significantly impact additional products. Successful attacks can result in takeover of Identity Manager.
Official resources
-
CVE-2026-35268 CVE record
CVE.org
-
CVE-2026-35268 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T10:40:19.020Z and has not been modified since then. The NVD entry is currently Analyzed.