Oracle has released an emergency out-of-band security patch for a critical unauthenticated remote code execution vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager. Tracked as CVE-2026-21992 with a CVSS v3.1 score of 9.8, this flaw allows attackers to achieve full system compromise over HTTP without any authentication.
The Vulnerability
CVE-2026-21992 impacts two critical Oracle Fusion Middleware products:
- Oracle Identity Manager – Enterprise identity and access management solution
- Oracle Web Services Manager – Security and management controls for web services
The affected versions include:
- Oracle Identity Manager: 12.2.1.4.0 and 14.1.2.1.0
- Oracle Web Services Manager: 12.2.1.4.0 and 14.1.2.1.0
According to Oracle’s advisory, the vulnerability is of low complexity, remotely exploitable over HTTP, and requires no authentication or user interaction. In Oracle Identity Manager, the affected component is REST WebServices; in Oracle Web Services Manager, it’s the Web Services Security component.
Why This Out-of-Band Alert Matters
Oracle rarely issues out-of-band Security Alerts, reserving them for vulnerabilities too critical to wait for the quarterly Critical Patch Update (CPU) cycle. Since 2010, Oracle has issued only approximately 31 Security Alerts, averaging about two per year. The decision to release CVE-2026-21992 outside the regular patch cycle—with the next scheduled CPU in April 2026—signals elevated risk.
Notably, this is only the second out-of-band Security Alert Oracle has ever issued for Oracle Identity Manager. The first, CVE-2017-10151, was a CVSS 10.0 default account vulnerability that allowed complete compromise of Identity Manager via an unauthenticated network attack.
Connection to Known Exploited Vulnerability
The urgency may be related to CVE-2025-61757, a pre-authentication RCE in Oracle Identity Manager that was:
- Patched in Oracle’s October 2025 CPU
- Added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in November 2025
- Described by researchers at Searchlight Cyber as “somewhat trivial and easily exploitable by threat actors”
Both vulnerabilities affect the same product, component (REST WebServices), and versions, though Oracle has not confirmed whether they are related. Oracle has also not disclosed whether CVE-2026-21992 has been exploited in the wild and declined to comment when asked about its exploitation status.
Historical Exploitation of Oracle Fusion Middleware
Oracle Fusion Middleware has six vulnerabilities in CISA’s KEV catalog, including the recently added CVE-2025-61757. Organizations using Oracle Identity Manager should treat this patch with high priority given the historical pattern of exploitation targeting this product line.
Recommendations
- Apply patches immediately – Oracle strongly recommends applying updates as soon as possible
- Verify affected versions – Check if you’re running Identity Manager or Web Services Manager versions 12.2.1.4.0 or 14.1.2.1.0
- Monitor for exploitation – Review logs for suspicious HTTP requests to REST WebServices endpoints
- Network segmentation – Limit exposure of Oracle Identity Manager interfaces to trusted networks
- Check Premier/Extended Support status – Patches are only available for versions under active support; older unsupported versions may remain vulnerable
Organizations relying on Oracle Identity Manager for enterprise identity and access management should prioritize this patch. The combination of pre-authentication RCE, low attack complexity, and Oracle’s rare decision to issue an out-of-band alert indicates significant risk for exposed systems.
Source: BleepingComputer | Tenable | Oracle Security Alert
