Oracle released out-of-band patches to address a critical remote code execution vulnerability in Identity Manager and Web Services Manager. The flaw, tracked as CVE-2026-21992 with a CVSS score of 9.8, affects REST WebServices and Web Services Security and can be exploited by an unauthenticated attacker; Oracle has not confirmed in-the-wild exploitation. #CVE-2026-21992 #OracleIdentityManager
Keypoints
- Oracle issued emergency patches for Identity Manager and Web Services Manager.
- The vulnerability is identified as CVE-2026-21992 and carries a CVSS score of 9.8.
- The flaw impacts the REST WebServices component of Identity Manager and Web Services Security in Web Services Manager.
- An unauthenticated attacker with HTTP access can achieve remote code execution and takeover.
- Oracle has not confirmed active exploitation, though similar Oracle zero-days have been abused in past incidents.