Oracle has released security updates to fix a critical, remotely exploitable vulnerability (CVE-2026-21992) in Oracle Identity Manager and Oracle Web Services Manager that could allow unauthenticated remote code execution. Oracle and the NVD warn the flaw is easily exploitable over HTTP and urge affected users to apply the updates immediately. #CVE-2026-21992 #OracleIdentityManager
Keypoints
- CVE-2026-21992 is a critical remote code execution vulnerability with a CVSS score of 9.8.
- The flaw is remotely exploitable without authentication via HTTP, according to Oracle and the NVD.
- Impacted versions include Oracle Identity Manager and Oracle Web Services Manager 12.2.1.4.0 and 14.1.2.1.0.
- Oracle advises immediate application of the security updates, although no in-the-wild exploitation has been reported for this CVE.
- In November 2025, CISA added a related pre-auth RCE (CVE-2025-61757) affecting Oracle Identity Manager to the KEV list due to active exploitation.
Read More: https://thehackernews.com/2026/03/oracle-patches-critical-cve-2026-21992.html