External risk intelligence

Oracle Fusion Middleware Identity Manager Takeover Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-35268

A critical vulnerability in Oracle Fusion Middleware Identity Manager allows a low-privileged attacker with network access to potentially take over the system, impacting connected products. The vulnerability, which affects core identity management functions, carries a high severity score, indicating severe impacts on c

Halo Surface Signal

Possible · external exposure

3Halo Surface Signal

The vulnerability affects Oracle Fusion Middleware Identity Manager via T3 or IIOP protocols. These protocols are typically used for internal application communication and middleware management rather than direct public internet exposure, though they may be reachable in some specific network architectures.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle Fusion Middleware's Identity Manager product, potentially allowing a low-privileged attacker with network access to compromise the system and significantly impact other connected products. This issue carries a high CVSS base score of 9.9, indicating severe impacts on confidentiality, integrity, and availability. While the vulnerability lies within Identity Manager, its scope can extend to other products, making a thorough understanding of its relevance and potential exposure crucial for leadership.

Attackers can potentially take over Identity Manager.
It affects core identity and access systems.
Confirming relevance and exposure is the main concern.

Attack Path

How an attacker could exploit the issue

An attacker with limited privileges could exploit this vulnerability by leveraging network access through T3 or IIOP protocols. This could allow them to compromise the Identity Manager component within Oracle Fusion Middleware. Successful exploitation could lead to a complete takeover of the Identity Manager, potentially impacting other connected products.

Low-privileged attacker with network access.
Exploits Identity Manager via T3 or IIOP.
Risk of Identity Manager takeover.

Live Threat

Current exploitation, exposure, and threat context

A low-privileged attacker with network access could exploit this vulnerability in Oracle Fusion Middleware's Identity Manager. When supported, this could lead to a takeover of Identity Manager, potentially impacting additional connected products.

Identity Manager product data.
Network access via T3, IIOP.
Takeover of Identity Manager.

Operational Fix

Recommended remediation, mitigation, and detection steps

Given that the vulnerability is in Oracle Fusion Middleware Identity Manager, affected teams likely include application owners responsible for the Identity Manager product, the platform team managing Fusion Middleware, and potentially network or security teams if T3/IIOP protocols are exposed externally. The first practical move should be to identify all instances of the affected Identity Manager, determine their reachability and business criticality, locate the accountable owner for each instance, and then prioritize remediation efforts based on assessed risk.

Application and platform teams own this.
Verify Identity Manager reachability and criticality.
Plan remediation based on risk assessment.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35268 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability in Oracle Identity Manager allows an attacker to take over the system. Exploitation requires network access and low privileges, making it a significant risk.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle Fusion Middleware Identity Manager?

Identity Manager is a core component within Oracle Fusion Middleware designed to centralize and automate user access and digital identity lifecycles across an organization. It acts as a central hub for managing accounts, permissions, and security policies for various enterprise applications. By providing this unified framework, it helps administrators control who can access specific resources, ensuring that identity-related processes are consistent and secure throughout the IT environment.

What does CWE-284 mean for CVE-2026-35268?

CWE-284 classifies this vulnerability as an Improper Access Control issue. In the context of CVE-2026-35268, this means the software fails to properly verify or restrict the actions of a user, allowing them to perform tasks they should not be permitted to do. Because the system does not adequately enforce these boundaries, a low-privileged user can leverage this weakness to gain unauthorized control over the Identity Manager component.

How can an attacker trigger this vulnerability?

An attacker needs network access to the Identity Manager using specific protocols, namely T3 or IIOP, to initiate the exploit. It is important to note that this bug is not triggered by standard web browsing or simple HTTP traffic. The attacker must be able to interact directly with these middleware-specific communication channels to send the malicious requests that lead to a system takeover.

Is my Identity Manager instance at risk?

Halo Surface Signal notes that T3 and IIOP protocols are typically used for internal application communication rather than being exposed directly to the public internet. However, your instance may be at higher risk if your network architecture inadvertently makes these protocols reachable from outside your protected environment. Assessing whether these specific ports are accessible from non-trusted network zones is a key step in evaluating your local risk.

How should I respond to this threat?

Start by identifying all deployed instances of the affected Identity Manager versions within your infrastructure. Once located, work with your platform and network teams to verify the reachability of these instances and confirm who is responsible for their maintenance. Use this information to prioritize patching or restricting access to the identified systems, focusing your efforts on those that are most critical to your business operations.

References

www.oracle.com/security-alerts/cspujun2026.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.