A patched vulnerability found in Oracle’s Fusion Middleware Access Manager (OAM) is currently under active exploitation. CVE-2021-35587 allows attackers with network access via HTTP to take over the Access Manager product. Oracle Fusion Middleware is a cloud platform used by large factories and telecom carriers.
CVE-2021-35587 has a CVSS base score of 9.8 and has been placed on the Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV). As stated, the vulnerability was patched in January 2022, but if CISA is adding it to the KEV catalog then it means that one or more systems were not updated within the appropriate time frame - enabling attackers to exploit it.
Security researcher Nguyen Jang, who contributed to reporting the bug, stated earlier in the year that the flaw could “give an attacker access to the OAM server, to create any user with any privileges or just get code execution in the victim’s server.” There are no details regarding the nature of the current attacks or the scale of exploitation efforts. However, data from the intelligence firm GreyNoise shows that attempts to exploit CVE-2021-35587 are ongoing and originate from Germany, the U.S., Canada, and Singapore.
CVE-2021-35587 affects the following versions of Oracle Access Manager:
The flaw also affects Oracle WebLogic Server:
At this time, there are no known IoCs associated with CVE-2021-35587. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.