Skip to main content

Oracle Enterprise Manager APM CVE-2026-46858

| EUVDEUVD-2026-37351 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
9.1 CRITICAL

Oracle states unauthenticated HTTP exploitation of a network-facing OMS component with full integrity and availability loss but no confidentiality impact, matching AV:N/AC:L/PR:N/UI:N/C:N/I:H/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:42 vuln.today

DescriptionCVE.org

Vulnerability in the APM - Application Performance Management product of Oracle Enterprise Manager (component: JADM, JVM Diagnostics). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise APM - Application Performance Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all APM - Application Performance Management accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of APM - Application Performance Management. CVSS 3.1 Base Score 9.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

AnalysisAI

Remote unauthenticated tampering and denial-of-service in Oracle Enterprise Manager's APM (Application Performance Management) component, specifically the JADM / JVM Diagnostics module in versions 13.5 and 24.1, allows attackers reachable over HTTP to modify, create, or delete any APM-accessible data and to hang or repeatedly crash the service. The flaw is rated CVSS 9.1 with no privileges or user interaction required, but at time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify reachable OMS HTTP listener
Delivery
Fingerprint EM 13.5/24.1 with APM JVMD enabled
Exploit
Send crafted HTTP request to JADM endpoint
Execution
Bypass missing authorization check
Persist
Tamper APM data or crash JVMD engine
Impact
Loss of monitoring integrity and DoS of APM

Vulnerability AssessmentAI

Exploitation The attacker needs only network HTTP reachability to the Oracle Management Service of an Enterprise Manager 13.5 or 24.1 deployment with the APM - Application Performance Management plug-in (specifically the JADM / JVM Diagnostics component) installed and enabled; no credentials, no user interaction, and no special client configuration are required (PR:N/UI:N/AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but lean toward elevated priority for any organization that exposes OEM APM beyond the management network. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the OMS HTTP listener - for example a foothold on any host inside the management VLAN, or any internal user network that was inadvertently allowed to the OEM console - sends crafted HTTP requests to the JVMD / JADM endpoint and either rewrites APM monitoring records (poisoning dashboards and alert thresholds so real incidents go unnoticed) or triggers a repeatable crash of the APM tier, blinding the operations team during a follow-on attack. No public exploit identified at time of analysis, but the trivial attack complexity and unauthenticated network vector make a working exploit straightforward to develop once the patch is diffed.
Remediation Patch available per vendor advisory - apply the fixes shipped in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) for Enterprise Manager 13.5 and 24.1; Oracle's CPU does not enumerate a standalone version string for APM, so administrators must rely on the CPU bundle patches referenced in that advisory and verify via OPatch lsinventory after installation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Oracle Enterprise Manager 13.5 and 24.1 instances and document network access paths to APM/JADM ports; implement firewall rules restricting HTTP access to trusted administrative networks only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46858 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy