Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Oracle Access Manager OpenSSO Agent takeover vulnerability

IdentifiersCVE-2021-35587CWE-306· Missing Authentication for…

CVE-2021-35587 is a critical vulnerability in Oracle Access Manager, specifically the OpenSSO Agent component of Oracle Fusion Middleware. Affected versions are 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0. Oracle describes it as easily exploitable by an unauthenticated attacker with network access via HTTP. Successful exploitation allows compromise of Oracle Access Manager, and the provided reporting repeatedly characterizes the outcome as full takeover of the OAM service. Supporting reporting also cites this flaw as a plausible or alleged initial access vector in intrusions involving Oracle Cloud login infrastructure, and some sources characterize exploitation as enabling remote code execution on the affected host, but the precise vulnerable function or code path is not provided in the supplied content.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in complete compromise or takeover of Oracle Access Manager, with high impact to confidentiality, integrity, and availability. The supplied content associates exploitation with unauthorized access to identity and authentication infrastructure, exposure of SSO and LDAP-related data, and potential downstream compromise of connected enterprise systems. Multiple sources also describe the practical impact as enabling deep compromise of central identity management services and, in some reporting, remote code execution on the host running Oracle Access Manager.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by removing Oracle Access Manager from direct internet access where feasible, restricting HTTP access to trusted networks, and placing the service behind compensating controls such as WAFs, reverse proxies, and strict network ACLs. Increase monitoring of OAM, SSO, LDAP, and related authentication logs for anomalous access, exploitation attempts, and post-compromise activity. Review connected systems for weak or hard-coded credentials, enforce MFA for administrative access, apply least privilege, and rotate potentially exposed secrets, JKS files, key files, and other authentication artifacts. Given the reported exploitation of legacy endpoints, organizations should also inventory and decommission stale or unmaintained Oracle Fusion Middleware instances.

Remediation

Patch, then assume compromise.

Apply Oracle’s security updates for CVE-2021-35587 and upgrade affected Oracle Access Manager/OpenSSO Agent deployments from vulnerable versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0 to vendor-fixed releases. Because the reporting links exploitation to internet-facing and outdated Oracle Fusion Middleware deployments, organizations should verify patch status across all exposed OAM instances, especially legacy login endpoints, and confirm that unsupported or obsolete systems are retired or upgraded. Where compromise is suspected, rotate passwords, authentication material, keys, certificates, and keystores associated with the affected identity environment, and review for persistence and downstream abuse.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
OracleAccess Managerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
finra cybersecurity alertsNews
Jan 1, 2026
Cybersecurity Alert - Potential Data Breach of Oracle Cloud | FINRA.org

A possible vulnerability affecting Oracle Fusion Middleware instances that could allow unauthorized access via Oracle Access Manager; it is discussed as a potential cause of the alleged Oracle Cloud-related breach.

Read more
hipaa journalNews
Dec 30, 2025
80 Hospitals May Have Been Affected by the Oracle Health Data Breach

A specific vulnerability (CVE-2021-35587) in Oracle Access Manager that a threat actor (rose87168) claims to have exploited to access an Oracle Cloud server and exfiltrate data (including SSO authentication data and encrypted LDAP passwords).

Read more
dark readingNews
Nov 24, 2025
Critical Flaw in Oracle Identity Manager Under Exploitation

A remote code execution vulnerability in Oracle Access Manager (OAM) referenced as the root cause of an earlier Oracle Cloud breach due to an outdated/unpatched Oracle software version.

Read more
eclecticiq blogNews
Jul 4, 2025
ShinyHunters Calling: Financially Motivated Data Extortion Group Targeting Enterprise Cloud Applications

A specific Oracle Access Manager vulnerability that the report says ShinyHunters-linked actors exploited to compromise victim environments and access Oracle 12c production databases, enabling data theft.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence6

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2021-35587
NVD
nvd.nist.gov/vuln/detail/CVE-2021-35587
MITRE CWE · CWE-306
Missing Authentication for Critical Function
Vendor Advisory
oracle.com/security-alerts/cpujan2022.html
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35587