Cyber Resilience

CVE-2022-21445

CriticalCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 19 April 2022

Published
19 April 2022
Modified
27 October 2025
KEV Added
18 September 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9203 99.7th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-21445 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Oracle Application Development Framework. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2022-21445 is a deserialization vulnerability in the ADF Faces component of Oracle Application Development Framework within Oracle Fusion Middleware. It affects versions 12.2.1.3.0 and 12.2.1.4.0, which are obtained through the Oracle JDeveloper product. The flaw carries a CVSS 3.1 base score of 9.8 and permits remote code execution that can fully compromise the ADF runtime.

An unauthenticated attacker with network access over HTTP can exploit the issue without user interaction. Successful exploitation grants complete control over the affected ADF instance, resulting in loss of confidentiality, integrity, and availability.

Oracle's April 2022 Critical Patch Update addresses the vulnerability and directs administrators to Fusion Middleware Patch Advisor for remediation details. The CVE is also listed in CISA's Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The associated EPSS score remains elevated near 0.92 with no material post-disclosure climb from a low baseline.

EU & UK References

Vulnerability details

Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application…

more

Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). Note: Oracle Application Development Framework (ADF) is downloaded via Oracle JDeveloper Product. Please refer to Fusion Middleware Patch Advisor for more details. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CWE(s)
KEV Date Added
18 September 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
application development framework
12.2.1.3.0, 12.2.1.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the April 2022 Oracle Critical Patch Update that eliminates the deserialization flaw in ADF Faces 12.2.1.3.0/4.0.

prevent

Requires validation of untrusted HTTP input before deserialization, blocking the unauthenticated attacker-supplied payload that leads to ADF takeover.

prevent

Enforces boundary protections (e.g., WAF rules or network ACLs) that can restrict or inspect unauthenticated HTTP traffic targeting the vulnerable ADF component.

References