Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
LDAP is network-reachable (AV:N), Oracle describes exploitation as easy and unauthenticated with no user interaction (AC:L/PR:N/UI:N), and full takeover implies C:H/I:H/A:H within OVD's scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Virtual Directory product of Oracle Fusion Middleware (component: Virtual Directory Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via LDAP to compromise Oracle Virtual Directory. Successful attacks of this vulnerability can result in takeover of Oracle Virtual Directory. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote unauthenticated takeover of Oracle Virtual Directory 12.2.1.4.0 and 14.1.2.0.0 is possible via crafted LDAP traffic, yielding full confidentiality, integrity, and availability impact (CVSS 9.8). The flaw lives in the Virtual Directory Server component of Oracle Fusion Middleware and is described by Oracle as easily exploitable over the network with no authentication or user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
Oracle Virtual Directory (OVD) is an LDAP virtualization layer in Oracle Fusion Middleware that proxies and aggregates identity data from multiple back-end directories (Active Directory, OID, databases) into a single LDAP-accessible view, commonly fronting downstream applications such as Oracle Access Manager and SOA components. The vulnerable component is identified by Oracle as the Virtual Directory Server, the daemon that terminates LDAP/LDAPS connections and parses BER/ASN.1-encoded LDAP PDUs before dispatching them to adapter plug-ins. No CWE was assigned by Oracle, but the combination of LDAP attack surface, pre-authentication reachability, and 'takeover' impact is characteristic of memory-corruption or deserialization/injection flaws in protocol parsing or bind-handling code paths (CWE-20/CWE-502/CWE-94 family). The single CPE provided (cpe:2.3:a:oracle_corporation:oracle_virtual_directory) narrows the affected surface to OVD itself rather than the broader Fusion Middleware stack.
RemediationAI
Apply the patches shipped in the Oracle Critical Patch Update referenced at https://www.oracle.com/security-alerts/cspujun2026.html for Oracle Virtual Directory 12.2.1.4.0 and 14.1.2.0.0; exact patched build numbers should be taken from that advisory (no specific fix version is included in the input data, so treat 'patch available per vendor advisory' as the current status). Until the CPU patch can be staged through change control, restrict network reachability to the OVD LDAP/LDAPS listeners (typically TCP 389 and 636) so that only trusted identity-tier hosts and downstream Fusion Middleware components can connect, ideally enforced at a firewall or service mesh rather than only at the OVD ACL layer; this preserves OVD function for legitimate consumers but breaks any directory clients that were connecting from broader network segments. If OVD is exposed beyond the internal identity tier, terminate that exposure (or front it with an LDAP-aware proxy that drops anonymous binds and unusual operations) and monitor the OVD and OS logs for unexpected bind, search, or extended-operation traffic from non-allowlisted sources. Do not rely on disabling anonymous bind alone as a mitigation, since the CVSS vector indicates PR:N exploitation that does not require authenticated context.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37438