HomeVulnerabilitiesCVE-2021-35587
Critical Risk Active Exploitation

CVE-2021-35587

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager.

Share this vulnerability:
⚠️

Confirmed Active Exploitation

This vulnerability is listed in the CISA KEV Catalog. Federal agencies are mandated to patch immediately. Immediate remediation is required.

Exploitation Probability (EPSS)

Critical Priority
94.23%

The Exploit Prediction Scoring System (EPSS) uses machine learning to estimate the probability that a vulnerability will be exploited in the wild within the next 30 days.

0% (Theoretical)100% (Certainty)

7-Day Exploitation Trend

Vulnerability Timeline

2 events
Jan 19, 2022
Vulnerability Disclosed
Published to component-level vulnerability database.
Oct 27, 2025
Last Updated
Record updated with new analysis or tags.

Threat Actor Attribution

PREMIUM INTEL
Associated Groups:Lazarus Group, APT28
Ransomware Campaigns:LockBit 3.0, BlackCat
IoCs (Indicators):14 IPs, 3 Hashes

Remediation & Mitigation

SOLUTION

Official patches and mitigation steps are available for this vulnerability.

# Update Command
apt-get update && apt-get upgrade -y specific-package
# Verify installation
dpkg -l | grep package-name

Affected Products

3 Total
oracle/access_manager11.1.2.3.0
oracle/access_manager12.2.1.3.0
oracle/access_manager12.2.1.4.0

References

https://www.oracle.com/security-alerts/cpujan2022.htmlOracle
Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlOracle
Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35587CISA
US Government Resource

Am I Vulnerable?

Check your domain or package.json for CVE-2021-35587 exposure.

Share This Page

Help others discover this vulnerability information

Vulnerability Details

CVSS Base Score
9.8/ 10
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published Date
Jan 19, 2022
Last Modified
Oct 27, 2025
Need API Access?

Integrate this data into your SOAR platform.

View Plans →
Need Manual Validation?

Automated scanners flag false positives. Get a manual pentest validation for this CVE.