Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Oracle states unauthenticated HTTP exploitation of a network-facing OMS component with full integrity and availability loss but no confidentiality impact, matching AV:N/AC:L/PR:N/UI:N/C:N/I:H/A:H.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the APM - Application Performance Management product of Oracle Enterprise Manager (component: JADM, JVM Diagnostics). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise APM - Application Performance Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all APM - Application Performance Management accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of APM - Application Performance Management. CVSS 3.1 Base Score 9.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
AnalysisAI
Remote unauthenticated tampering and denial-of-service in Oracle Enterprise Manager's APM (Application Performance Management) component, specifically the JADM / JVM Diagnostics module in versions 13.5 and 24.1, allows attackers reachable over HTTP to modify, create, or delete any APM-accessible data and to hang or repeatedly crash the service. The flaw is rated CVSS 9.1 with no privileges or user interaction required, but at time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker needs only network HTTP reachability to the Oracle Management Service of an Enterprise Manager 13.5 or 24.1 deployment with the APM - Application Performance Management plug-in (specifically the JADM / JVM Diagnostics component) installed and enabled; no credentials, no user interaction, and no special client configuration are required (PR:N/UI:N/AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed but lean toward elevated priority for any organization that exposes OEM APM beyond the management network. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the OMS HTTP listener - for example a foothold on any host inside the management VLAN, or any internal user network that was inadvertently allowed to the OEM console - sends crafted HTTP requests to the JVMD / JADM endpoint and either rewrites APM monitoring records (poisoning dashboards and alert thresholds so real incidents go unnoticed) or triggers a repeatable crash of the APM tier, blinding the operations team during a follow-on attack. No public exploit identified at time of analysis, but the trivial attack complexity and unauthenticated network vector make a working exploit straightforward to develop once the patch is diffed. |
| Remediation | Patch available per vendor advisory - apply the fixes shipped in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) for Enterprise Manager 13.5 and 24.1; Oracle's CPU does not enumerate a standalone version string for APM, so administrators must rely on the CPU bundle patches referenced in that advisory and verify via OPatch lsinventory after installation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Oracle Enterprise Manager 13.5 and 24.1 instances and document network access paths to APM/JADM ports; implement firewall rules restricting HTTP access to trusted administrative networks only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37351