Oracle released an out-of-band security update to address a critical unauthenticated remote code execution vulnerability tracked as CVE-2026-21992 in Oracle Identity Manager and Oracle Web Services Manager. The flaw is remotely exploitable over HTTP with a CVSS v3.1 score of 9.8, Oracle urges immediate patching for supported versions but declined to comment on whether the vulnerability has been exploited. #OracleIdentityManager #OracleWebServicesManager
Keypoints
- Oracle issued an out-of-band Security Alert fixing CVE-2026-21992, an unauthenticated RCE in Identity Manager and Web Services Manager.
- The vulnerability has a CVSS v3.1 score of 9.8 and is remotely exploitable over HTTP without authentication or user interaction.
- Affected versions include Identity Manager and Web Services Manager 12.2.1.4.0 and 14.1.2.1.0.
- Oracle strongly recommends applying the provided patches or mitigations immediately; fixes via the Security Alert are only for versions under Premier or Extended Support.
- Oracle declined to say whether the flaw has been exploited, leaving uncertainty about active attacks against exposed servers.