Cybersecurity & Privacy

Oracle Patches CVE-2026-21992 Critical RCE in Identity Manager

alex2404
By
alex2404
Byalex2404
Follow:
Disclosure: This website may contain affiliate links, which means I may earn a commission if you click on the link and make a purchase. I only recommend products or services that I personally use and believe will add value to my readers. Your support is appreciated!

A CVSS score of 9.8 out of 10.0 is not a number that leaves room for interpretation. That is where this story starts.

Contents

Oracle has patched a critical vulnerability, tracked as CVE-2026-21992, affecting Oracle Identity Manager and Oracle Web Services Manager. According to the advisory, the flaw is “remotely exploitable without authentication” and, if triggered, “may result in remote code execution.”

The description filed in the NIST National Vulnerability Database goes further, classifying it as “easily exploitable.” An unauthenticated attacker with network access via HTTP could compromise both products and achieve a full takeover of susceptible instances.

No credentials required. No foothold needed first.

Oracle has not disclosed which specific product versions are affected beyond confirming that both Identity Manager and Web Services Manager fall within scope. The company says it has found no evidence the vulnerability has been exploited in the wild, though it has urged customers to apply the update “without delay for optimal protection.” That phrasing, in an official Oracle advisory, carries weight — the company rarely uses language that direct.

Context That Matters

This is not the first time Oracle Identity Manager has sat at the center of a critical, unauthenticated remote code execution disclosure. In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2025-61757 — also carrying a CVSS score of 9.8 — to its Known Exploited Vulnerabilities catalog. That flaw was a pre-authenticated remote code execution vulnerability in the same product, added after CISA identified evidence of active exploitation in the field.

More Read

CanisterWorm Hits 47 npm Packages in Trivy Supply Chain Attack
Perseus Android Malware Monitors Notes Apps for Financial Data
Oracle Emergency Patch Fixes Critical RCE Flaw CVE-2026-21992
PolyShell Flaw Enables Unauthenticated RCE on Magento Stores
INTERPOL Seizes 45,000 Malicious IPs in Global Cybercrime Sweep

Two separate critical unauthenticated RCE vulnerabilities in Oracle Identity Manager, both scored at 9.8, within a narrow window. The pattern matters for organizations that have delayed patching cycles or treat identity management infrastructure as lower-priority than perimeter defenses. Identity Manager sits at the core of enterprise access control — a compromised instance hands an attacker the keys to user provisioning, role assignments, and system access across the entire environment it manages.

What Organizations Should Do

Oracle’s guidance is unambiguous: patch immediately.

The security update is available through Oracle’s standard patch distribution channels. Given the prior exploitation of a nearly identical vulnerability class in the same product family, and CISA’s documented history of tracking Oracle Identity Manager flaws as actively weaponized, organizations running affected versions of either product should treat this as a priority deployment, not a scheduled maintenance item.

Oracle has released the fix. The window between disclosure and active exploitation, based on the November 2025 precedent, closed faster than most patching cycles allow.

Photo by Kirill Sh on Unsplash

This article is a curated summary based on third-party sources. Source: Read the original article

TAGGED:
Share This Article
Previous Article Why Global Warming Is Accelerating Faster Than Expected
Next Article Insurance Firms Spend 14% of Budgets on Manual Error Fixes
Archives