Oracle pushes emergency fix for critical Identity Manager RCE flaw

Oracle pushes emergency fix for critical Identity Manager RCE flaw

Oracle released an out-of-band security update to address a critical unauthenticated remote code execution vulnerability tracked as CVE-2026-21992 in Oracle Identity Manager and Oracle Web Services Manager. The flaw is remotely exploitable over HTTP with a CVSS v3.1 score of 9.8, Oracle urges immediate patching for supported versions but declined to comment on whether the vulnerability has been exploited. #OracleIdentityManager #OracleWebServicesManager

Keypoints

  • Oracle issued an out-of-band Security Alert fixing CVE-2026-21992, an unauthenticated RCE in Identity Manager and Web Services Manager.
  • The vulnerability has a CVSS v3.1 score of 9.8 and is remotely exploitable over HTTP without authentication or user interaction.
  • Affected versions include Identity Manager and Web Services Manager 12.2.1.4.0 and 14.1.2.1.0.
  • Oracle strongly recommends applying the provided patches or mitigations immediately; fixes via the Security Alert are only for versions under Premier or Extended Support.
  • Oracle declined to say whether the flaw has been exploited, leaving uncertainty about active attacks against exposed servers.

Read More: https://www.bleepingcomputer.com/news/security/oracle-pushes-emergency-fix-for-critical-identity-manager-rce-flaw/