This vulnerability affects Oracle Virtual Directory, a component of Oracle Fusion Middleware, specifically versions 12.2.1.4.0 and 14.1.2.0.0. It permits an unauthenticated attacker with network access via LDAP to compromise the product, potentially resulting in complete takeover. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects that the attack requires no privileges or user interaction and can be performed remotely with low complexity, causing high confidentiality, integrity, and availability impacts. Oracle's June 2026 Critical Security Patch Update includes patches for this vulnerability. Oracle strongly recommends applying these patches without delay to prevent exploitation. Until patches are applied, risk reduction may be possible by blocking required network protocols or restricting privileges, though these may impact functionality.

Successful exploitation allows unauthenticated remote attackers to fully compromise Oracle Virtual Directory, leading to complete loss of confidentiality, integrity, and availability of the affected product. This can result in takeover of the Oracle Virtual Directory environment.

Oracle has released a Critical Security Patch Update in June 2026 that addresses this vulnerability. Customers should apply the provided security patches as soon as possible. Until patches are applied, risk may be reduced by blocking network protocols required for the attack or removing unnecessary privileges from users, though these measures may disrupt normal application functionality. Patch status is confirmed by the vendor advisory indicating availability of patches in the June 2026 update.