Key Findings

• Oracle released an emergency patch for CVE-2026-21992, a critical remote code execution vulnerability in Identity Manager and Web Services Manager

• The flaw has a CVSS score of 9.8 and requires no authentication, allowing attackers to execute code over HTTP

• Affected versions are Identity Manager 12.2.1.4.0 and 14.1.2.1.0, plus Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0

• Oracle classified the vulnerability as "easily exploitable" with low complexity

• No confirmation yet of active exploitation in the wild, though previous similar flaws in Oracle Fusion Middleware have been actively targeted

Background

Oracle Identity Manager handles identity and access management across enterprise environments, while Oracle Web Services Manager secures and manages web services. These are critical infrastructure components for many organizations. The vulnerability was patched through Oracle's out-of-band Security Alert program, which handles critical or actively exploited issues outside the regular patch cycle. Oracle emphasized that patches through this program are only available for versions under Premier or Extended Support.

The Vulnerability Details

CVE-2026-21992 enables unauthenticated attackers to achieve remote code execution through HTTP requests. The flaw requires no user interaction and can be exploited by anyone with network access to an exposed Identity Manager or Web Services Manager instance. This combination of factors makes it particularly dangerous, as attackers don't need valid credentials or social engineering to compromise systems.

Urgency of the Patch

Oracle strongly recommended immediate patching, emphasizing customers should apply updates as soon as possible. The company reiterated its standard guidance that organizations remain on actively-supported versions and apply all security updates without delay. The out-of-band release indicates Oracle views this as a significant threat requiring accelerated response compared to standard patch cycles.

Historical Context

This vulnerability follows a similar pattern from November 2025 when CISA added CVE-2025-61757 to its Known Exploited Vulnerabilities catalog. That flaw also affected Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 and allowed pre-authenticated remote code execution. SANS researchers documented honeypot activity showing multiple exploitation attempts in August and September 2025 targeting that earlier flaw weeks before Oracle released patches, suggesting active zero-day exploitation. Attackers used consistent user agents across different IP addresses, indicating coordinated attack activity.

Sources

• https://securityaffairs.com/189796/security/oracle-fixes-critical-rce-flaw-cve-2026-21992-in-identity-manager.html

• https://www.bleepingcomputer.com/news/security/oracle-pushes-emergency-fix-for-critical-identity-manager-rce-flaw/

• https://thehackernews.com/2026/03/oracle-patches-critical-cve-2026-21992.html

• https://www.instagram.com/p/DWJblaKD5wE/

• https://www.linkedin.com/posts/the-cyber-security-hub_oracle-pushes-emergency-fix-for-critical-activity-7440832338323853312-3edS