Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Oracle Access Manager OpenSSO Agent takeover vulnerability

IdentifiersCVE-2021-35587CWE-306· Missing Authentication for…

CVE-2021-35587 is a critical vulnerability in Oracle Access Manager, specifically the OpenSSO Agent component of Oracle Fusion Middleware. Affected supported versions are 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0. According to Oracle, the issue is easily exploitable by an unauthenticated attacker with network access via HTTP and can be used to compromise Oracle Access Manager. The provided content does not include Oracle’s root-cause details or the specific vulnerable function, but multiple cited reports characterize the flaw as enabling full compromise of the Oracle Access Manager service and, in some reporting, remote code execution on the underlying host.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in complete takeover of Oracle Access Manager, with high impact to confidentiality, integrity, and availability. The supplied reporting further associates exploitation with unauthorized access to SSO and LDAP-backed identity infrastructure, exposure of authentication material, and in some cases reported remote code execution on the host running the service. Oracle’s CVSS 3.1 base score is 9.8 with impacts rated High for confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting HTTP/HTTPS access to Oracle Access Manager interfaces to trusted networks, removing or isolating internet-facing OAM endpoints where feasible, placing the service behind compensating controls such as WAF/reverse proxy filtering, and increasing monitoring for anomalous access to SSO, LDAP, and administrative functions. Where compromise is suspected, reset passwords, rotate tokens/keys/keystores/certificates, review LDAP and authentication logs, and enforce least privilege and strong MFA for administrative access. These are compensating measures only and do not replace patching.

Remediation

Patch, then assume compromise.

Apply Oracle’s security updates for CVE-2021-35587 and upgrade affected Oracle Access Manager/OpenSSO Agent deployments from vulnerable supported versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0 to fixed releases provided by Oracle. Because the content links this issue to compromise of identity infrastructure, remediation should also include verification that all Oracle Fusion Middleware/OAM instances are fully patched, review of exposed internet-facing login endpoints, and rotation of potentially exposed credentials, keys, certificates, and other authentication material if compromise is suspected.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
OracleAccess Managerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
finra cybersecurity alertsNews
Jan 1, 2026
Cybersecurity Alert - Potential Data Breach of Oracle Cloud | FINRA.org

A possible vulnerability affecting Oracle Fusion Middleware instances that could allow unauthorized access via Oracle Access Manager; it is discussed as a potential cause of the alleged Oracle Cloud-related breach.

Read more
hipaa journalNews
Dec 30, 2025
80 Hospitals May Have Been Affected by the Oracle Health Data Breach

A specific vulnerability (CVE-2021-35587) in Oracle Access Manager that a threat actor (rose87168) claims to have exploited to access an Oracle Cloud server and exfiltrate data (including SSO authentication data and encrypted LDAP passwords).

Read more
dark readingNews
Nov 24, 2025
Critical Flaw in Oracle Identity Manager Under Exploitation

A remote code execution vulnerability in Oracle Access Manager (OAM) referenced as the root cause of an earlier Oracle Cloud breach due to an outdated/unpatched Oracle software version.

Read more
eclecticiq blogNews
Jul 4, 2025
ShinyHunters Calling: Financially Motivated Data Extortion Group Targeting Enterprise Cloud Applications

A specific Oracle Access Manager (OAM) vulnerability (in Oracle Access Manager deployments) that ShinyHunters-linked persona “Yukari” is reported to have exploited to compromise victim environments and enable access leading to data theft/exfiltration.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence3

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2021-35587
NVD
nvd.nist.gov/vuln/detail/CVE-2021-35587
MITRE CWE · CWE-306
Missing Authentication for Critical Function
Vendor Advisory
oracle.com/security-alerts/cpujan2022.html
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35587