This vulnerability affects Oracle Enterprise Manager's APM - Application Performance Management component (versions 13.5 and 24.1). It is exploitable remotely without authentication over HTTP, allowing attackers to manipulate critical data or cause denial of service by crashing or hanging the application. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) reflects network attack vector, low attack complexity, no privileges or user interaction required, with high impact on integrity and availability but no confidentiality impact. Oracle's June 2026 Critical Security Patch Update includes fixes for this vulnerability. No known exploits in the wild have been reported yet. Oracle strongly recommends applying the patches immediately to prevent exploitation.

An unauthenticated remote attacker can exploit this vulnerability to gain unauthorized ability to create, delete, or modify critical data within the APM product. Additionally, the attacker can cause the application to hang or crash repeatedly, resulting in a complete denial of service. The integrity and availability of the affected system are severely impacted, while confidentiality is not affected.

Oracle has released a Critical Security Patch Update in June 2026 that addresses this vulnerability among others. Customers should apply the official patches from Oracle without delay. Until patches are applied, risk may be reduced by blocking network protocols required for the attack or by removing unnecessary privileges from users, though these may impact functionality. Oracle strongly recommends remaining on actively supported versions and promptly applying security patches as detailed in the advisory at https://www.oracle.com/security-alerts/cspujun2026.html.