CVE-2026-46858: Microsoft APM unauthenticated

CISO Take

Oracle Enterprise Manager APM versions 13.5 and 24.1 contain a critical unauthenticated vulnerability in the JADM/JVM Diagnostics component, allowing any network-reachable attacker over plain HTTP to modify or delete critical monitoring data and crash the service entirely. The CVSS 9.1 score reflects the worst-case exploitability profile: no credentials, no user interaction, low complexity, and direct network access—meaning any exposed instance is trivially compromised without specialized tooling. In AI/ML environments, APM sits directly above production workloads monitoring JVM-based inference services and training pipelines; blinding this layer lets adversaries mask anomalous model behavior or cover lateral movement while defenders remain unaware. No public exploits or KEV listing exist yet, but the zero-auth bar means exposure window before weaponization is likely short. Apply Oracle's June 2026 Critical Patch Update immediately and isolate APM management interfaces from untrusted network segments via firewall or VPN.

Sources: NVD ATLAS

What is the risk?

Critical risk for any organization with Oracle APM exposed on a network-accessible segment. Zero authentication requirement combined with low attack complexity places exploitation within reach of automated scanners and commodity threat actors, not just targeted adversaries. The dual integrity-and-availability impact means an attacker can both corrupt the monitoring record (destroying audit trail integrity) and cause complete service outage. In AI/ML operations contexts, loss of APM visibility is operationally dangerous because anomalous inference latency, memory spikes during adversarial input attacks, or training pipeline anomalies go undetected. The absence of confidentiality impact in the CVSS vector does not eliminate risk—corrupted or deleted telemetry can be as damaging as stolen data when it masks active compromise.

How does the attack unfold?

Reconnaissance

Attacker scans the target network for exposed Oracle Enterprise Manager APM HTTP endpoints (JADM/JVM Diagnostics service) using automated port and service scanners.

AML.T0006

Initial Access

Attacker sends unauthenticated HTTP requests directly to the JADM component on APM 13.5 or 24.1, bypassing all authentication with no credentials required.

AML.T0049

Impact: Data Manipulation

Attacker modifies or deletes critical APM monitoring records for AI/ML workloads, destroying performance baselines and audit trails covering model serving and training pipeline activity.

AML.T0025

Impact: Denial of Service

Attacker triggers repeated crashes of the APM service, blinding defenders to anomalous AI workload behavior and creating a persistent observability gap during subsequent attack phases.

AML.T0029

Reconnaissance

Attacker scans the target network for exposed Oracle Enterprise Manager APM HTTP endpoints (JADM/JVM Diagnostics service) using automated port and service scanners.

AML.T0006

Initial Access

Attacker sends unauthenticated HTTP requests directly to the JADM component on APM 13.5 or 24.1, bypassing all authentication with no credentials required.

AML.T0049

Impact: Data Manipulation

Attacker modifies or deletes critical APM monitoring records for AI/ML workloads, destroying performance baselines and audit trails covering model serving and training pipeline activity.

AML.T0025

Impact: Denial of Service

Attacker triggers repeated crashes of the APM service, blinding defenders to anomalous AI workload behavior and creating a persistent observability gap during subsequent attack phases.

AML.T0029

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Microsoft APM	pip	—	No patch
2.9K Pushed 3d ago 67% patched ~1d to patch Full package profile →

Do you use Microsoft APM? You're affected.

How severe is it?

CVSS 3.1

9.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I High

A High

What should I do?

6 steps

Apply Oracle Critical Patch Update June 2026 immediately for APM 13.5 and 24.1 (see https://www.oracle.com/security-alerts/cspujun2026.html).
Until patched, restrict HTTP access to JADM/JVM Diagnostics ports via firewall ACLs to management VLANs only—no internet or broad internal exposure.
Place Oracle Enterprise Manager consoles behind VPN or zero-trust network access control.
Enable APM audit logging and alert on unexpected data deletion or configuration changes as compensating control.
Inventory all APM instances across environments (prod, staging, dev) as staging APMs monitoring dev AI workloads are equally exploitable.
Verify patch application with a follow-up network scan checking the JADM HTTP endpoint for authentication enforcement.

How is it classified?

Auth Bypass DoS Data Extraction Inference Framework AML.T0006 - Active Scanning AML.T0025 - Exfiltration via Cyber Means AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 12 - Record-keeping and logging

ISO 42001

9.1 - Monitoring, measurement, analysis and evaluation

NIST AI RMF

MANAGE 1.3 - Responses to the AI risks deemed high priority are developed MEASURE 2.5 - AI system to be deployed is demonstrated to be valid and reliable

Frequently Asked Questions

What is CVE-2026-46858?

Oracle Enterprise Manager APM versions 13.5 and 24.1 contain a critical unauthenticated vulnerability in the JADM/JVM Diagnostics component, allowing any network-reachable attacker over plain HTTP to modify or delete critical monitoring data and crash the service entirely. The CVSS 9.1 score reflects the worst-case exploitability profile: no credentials, no user interaction, low complexity, and direct network access—meaning any exposed instance is trivially compromised without specialized tooling. In AI/ML environments, APM sits directly above production workloads monitoring JVM-based inference services and training pipelines; blinding this layer lets adversaries mask anomalous model behavior or cover lateral movement while defenders remain unaware. No public exploits or KEV listing exist yet, but the zero-auth bar means exposure window before weaponization is likely short. Apply Oracle's June 2026 Critical Patch Update immediately and isolate APM management interfaces from untrusted network segments via firewall or VPN.

Is CVE-2026-46858 actively exploited?

No confirmed active exploitation of CVE-2026-46858 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46858?

1. Apply Oracle Critical Patch Update June 2026 immediately for APM 13.5 and 24.1 (see https://www.oracle.com/security-alerts/cspujun2026.html). 2. Until patched, restrict HTTP access to JADM/JVM Diagnostics ports via firewall ACLs to management VLANs only—no internet or broad internal exposure. 3. Place Oracle Enterprise Manager consoles behind VPN or zero-trust network access control. 4. Enable APM audit logging and alert on unexpected data deletion or configuration changes as compensating control. 5. Inventory all APM instances across environments (prod, staging, dev) as staging APMs monitoring dev AI workloads are equally exploitable. 6. Verify patch application with a follow-up network scan checking the JADM HTTP endpoint for authentication enforcement.

What systems are affected by CVE-2026-46858?

This vulnerability affects the following AI/ML architecture patterns: MLOps monitoring and observability stacks, JVM-based model serving infrastructure, Enterprise AI training pipeline orchestration, Java-based agent frameworks with APM instrumentation.

What is the CVSS score for CVE-2026-46858?

CVE-2026-46858 has a CVSS v3.1 base score of 9.1 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

MLOps monitoring and observability stacksJVM-based model serving infrastructureEnterprise AI training pipeline orchestrationJava-based agent frameworks with APM instrumentation

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0025 Exfiltration via Cyber Means

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 12

ISO 42001: 9.1

NIST AI RMF: MANAGE 1.3, MEASURE 2.5

What are the technical details?

Original Advisory

Vulnerability in the APM - Application Performance Management product of Oracle Enterprise Manager (component: JADM, JVM Diagnostics). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise APM - Application Performance Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all APM - Application Performance Management accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of APM - Application Performance Management. CVSS 3.1 Base Score 9.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

Exploitation Scenario

An adversary performing reconnaissance against an enterprise's AI infrastructure identifies an Oracle APM instance accessible on port 4473 (or similar JADM HTTP port) via automated scanning. Without any credentials, the attacker sends crafted HTTP requests to the JVM Diagnostics API, deleting historical performance baselines for GPU-accelerated model serving nodes. With monitoring data erased, the adversary pivots to the underlying JVM processes—now invisible to defenders—and begins probing for further lateral movement. In a more disruptive scenario, the attacker issues repeated requests that trigger the 'hang or frequently repeatable crash' condition, causing sustained DoS of the APM infrastructure precisely before or during a coordinated attack on the AI workloads it monitors.