A critical vulnerability in the Oracle Enterprise Manager Metadata Plugin (versions 13.5 and 24.1) enables unauthorized actors to achieve complete system compromise.

This vulnerability resides in the Metadata Plugin component and allows a low-privileged attacker with network access to leverage HTTPS requests to compromise the Oracle Enterprise Manager Base Platform. The flaw supports scope change, meaning attacks can propagate to connected systems.

With a CVSS score of 9.9, this vulnerability represents an imminent risk of total platform compromise. Attackers could manipulate metadata configurations to gain elevated privileges, resulting in unauthorized access to sensitive data and the potential for a full-scale breach of the managed environment.

Immediate Action: Update Oracle Enterprise Manager to the version specified in the June 2026 Critical Security Patch Update.

Proactive Monitoring: Monitor HTTPS traffic logs for irregular activity targeting the Metadata Plugin and alert on any unauthorized configuration changes.

Compensating Controls: Ensure the Enterprise Manager interface is protected by robust network access controls and consider temporary restrictive firewall policies for the affected HTTPS endpoints.

Public Exploit Available: False

Given the critical nature of this vulnerability, immediate remediation is required. Administrators must apply the June 2026 security patches to all affected versions of Oracle Enterprise Manager to prevent unauthorized platform compromise.