Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Oracle's description explicitly states unauthenticated network exploitation via RMI leading to product takeover, justifying AV:N/AC:L/PR:N/UI:N and C:H/I:H/A:H; no scope change across security authorities.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Unified Directory product of Oracle Fusion Middleware (component: OUD Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via RMI to compromise Oracle Unified Directory. Successful attacks of this vulnerability can result in takeover of Oracle Unified Directory. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle Unified Directory 12.2.1.4.0 and 14.1.2.1.0 is possible via the OUD Core component's RMI interface, allowing unauthenticated network attackers to fully compromise the LDAP directory service. Oracle rates this CVSS 9.8 with confidentiality, integrity, and availability impacts; no public exploit identified at time of analysis and it is not currently listed in CISA KEV, but the RMI attack surface and trivial complexity make it a high-priority patching target.
Technical ContextAI
Oracle Unified Directory (OUD) is the LDAPv3-compliant directory server in the Oracle Fusion Middleware identity stack, used for storing user, group, and policy data that other Oracle and third-party applications consume for authentication and authorization. The affected attack surface is Java RMI (Remote Method Invocation), historically the source of numerous Fusion Middleware takeover bugs through unsafe Java deserialization of attacker-controlled object streams. Oracle did not publish a CWE, but the combination of an RMI vector, unauthenticated network exploitability, and a 'takeover' outcome is strongly consistent with the CWE-502 (Deserialization of Untrusted Data) pattern seen across prior OUD/WebLogic RMI advisories. The affected CPE is cpe:2.3:a:oracle_corporation:oracle_unified_directory:*:*:*:*:*:*:*:* covering the OUD Core component.
RemediationAI
Patch available per vendor advisory - apply the fixes shipped in the Oracle Critical Patch Update of June 2026 for Oracle Unified Directory 12.2.1.4.0 and 14.1.2.1.0 as documented at https://www.oracle.com/security-alerts/cspujun2026.html; Oracle CPUs typically require the corresponding Bundle/Stack Patch, so consult the advisory for the exact patch IDs for your release. Until patching is complete, restrict network access to the OUD RMI listener port (default 1689 for the administration connector, plus any custom RMI registry/JMX ports) to trusted management hosts only via host firewalls or network ACLs, since this directly removes the documented attack vector; the trade-off is that remote JMX-based monitoring and administration tooling from outside the allow-list will break. If RMI-based administration is not used, consider disabling the administration connector entirely in config.ldif, accepting that you will then need to administer OUD via dsconfig over a local/SSH-tunneled session.
More in Oracle Unified Directory
View allUnauthenticated LDAP-based takeover of Oracle Unified Directory affects supported versions 12.2.1.4.0 and 14.1.2.1.0 wit
Unauthenticated LDAP-based compromise of Oracle Unified Directory 12.2.1.4.0 and 14.1.2.1.0 allows remote attackers to c
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37293