On Monday the United States Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-35587, a critical-severity flaw in Oracle Fusion Middleware, to their Known Exploited Vulnerabilities catalog. The vulnerability affects Oracle Access Manager (OAM) versions 188.8.131.52.0, 184.108.40.206.0, and 220.127.116.11.0, and CISA reports evidence of active exploitation. This CVE was first published in January 2022, and was addressed that month via a critical patch.
A proof-of-concept (PoC) has existed as early as March 2022, so companies running vulnerable versions of OAM should patch as soon as their patch management program allows. Additionally, since the exploit has existed for so long, it is reasonable to assume active exploitation has been taking place since then, and all vulnerable OAM systems should be treated as such.