Oracle released an emergency out‑of‑band patch for a critical unauthenticated remote code execution vulnerability tracked as CVE‑2026‑21992 that affects Oracle Identity Manager and Oracle Web Services Manager. Organizations should apply the Security Alert patches immediately for supported versions to mitigate the high‑severity risk posed by remote attackers. #OracleIdentityManager #OracleWebServicesManager
Keypoints
- Oracle issued an out‑of‑band Security Alert to fix CVE‑2026‑21992, a critical RCE vulnerability.
- The flaw can be exploited without authentication over HTTP to achieve remote code execution.
- Affected versions are Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0, and Oracle Web Services Manager 12.2.1.4.0 and 14.1.2.1.0.
- Patches are available only for releases under Premier or Extended Support, so unsupported instances must be upgraded to receive fixes.
- No confirmed in‑the‑wild exploitation has been disclosed, but identity management systems are high‑value targets and should be prioritized for patching.
Read More: https://thecyberexpress.com/oracle-identity-manager-cve-2026-21992-patch/