Oracle issues urgent patch for critical RCE flaw in Identity Manager and Web Services Manager

Home » News

Yash

News

4 min. read

Published on March 21, 2026

Oracle has released an out-of-band security update for CVE-2026-21992, a critical remote code execution vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager. The flaw is severe because Oracle says it can be exploited remotely without authentication, and successful attacks may lead to remote code execution.

The issue affects supported versions 12.2.1.4.0 and 14.1.2.1.0 of both products. Oracle assigned the bug a CVSS v3.1 base score of 9.8, which places it in the highest risk tier for enterprise patching teams.

This matters because both products sit inside Oracle Fusion Middleware deployments that often support identity, access, and web services security in large organizations. Oracle’s advisory says an attacker only needs network access over HTTP and does not need user interaction or prior privileges to exploit the bug.

What Oracle says is affected

Oracle says the vulnerability exists in the REST Web Services component of Oracle Identity Manager and in the Web Services Security component of Oracle Web Services Manager. Oracle’s alert also notes that Web Services Manager is often installed as part of Oracle Fusion Middleware Infrastructure, which can widen exposure in real-world environments.

Affected products and versions

Product	Affected component	Affected versions
Oracle Identity Manager	REST Web Services	12.2.1.4.0, 14.1.2.1.0
Oracle Web Services Manager	Web Services Security	12.2.1.4.0, 14.1.2.1.0

Source: Oracle Security Alert and Oracle verbose risk matrix.

Why CVE-2026-21992 is so dangerous

The core risk comes from how easy the bug appears to be to exploit. Oracle and the CVE record both describe it as remotely exploitable without authentication. NVD also describes it as an easily exploitable vulnerability with network access via HTTP.

Oracle’s verbose risk matrix says successful attacks can result in takeover of Oracle Identity Manager. The NVD entry expands that description to say the flaw can compromise both Oracle Identity Manager and Oracle Web Services Manager.

Key risk details

CVE: CVE-2026-21992
Severity: Critical
CVSS v3.1 score: 9.8
Authentication required: No
User interaction required: No
Attack vector: Network via HTTP
Impact: Remote code execution, potential full compromise

These points come from Oracle’s alert, Oracle’s risk matrix, and NVD.

What security teams should do now

Oracle is urging customers to apply the available patches immediately. That should be the first priority, especially for any internet-facing or externally reachable Fusion Middleware deployments.

Organizations should also review whether affected Oracle Identity Manager or Oracle Web Services Manager endpoints are exposed over HTTP or HTTPS. Even if direct internet exposure is limited, internal exposure still matters because unauthenticated network-based flaws can become useful for lateral movement after an initial breach. This is an inference based on Oracle’s exploitability description and the role these products often play in enterprise identity and service security.

Immediate response steps

Patch Oracle Identity Manager and Oracle Web Services Manager on supported versions
Prioritize internet-facing and externally accessible systems first
Review exposed REST Web Services and Web Services Security endpoints
Confirm whether Oracle Fusion Middleware Infrastructure deployments include Web Services Manager
Upgrade unsupported product versions to supported releases where patching is unavailable

Oracle’s security alert applies to supported versions. Oracle’s security portal also ties patch availability to supported product lines under its normal support framework.

Why this alert stands out

Oracle normally packages many fixes into its regular Critical Patch Update cycle, so an out-of-band security alert usually signals a more urgent situation. Oracle’s security portal lists CVE-2026-21992 as a standalone alert, and Oracle’s security blog separately announced the release of the alert and highlighted the 9.8 score and remote code execution risk.

That does not automatically confirm active exploitation, and Oracle’s public advisory page snippet available here does not explicitly say the flaw is being exploited in the wild. Still, the out-of-band nature of the release and the exploitability details make this a high-priority patching event for affected customers.

FAQ

What is CVE-2026-21992?

CVE-2026-21992 is a critical Oracle Fusion Middleware vulnerability that affects Oracle Identity Manager and Oracle Web Services Manager. Oracle says it may allow remote code execution without authentication.

Which Oracle products are affected?

Oracle Identity Manager and Oracle Web Services Manager are affected. Oracle lists supported versions 12.2.1.4.0 and 14.1.2.1.0 for both products.

How severe is the flaw?

Oracle assigned the vulnerability a CVSS v3.1 base score of 9.8. That score reflects a critical severity level.

Does the attacker need credentials?

No. Oracle and NVD both describe the flaw as exploitable without authentication.

What should organizations do first?

Apply Oracle’s patch immediately and prioritize exposed systems first. Teams should also review endpoint exposure and upgrade unsupported deployments where necessary.

Yash

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links.

Improve this guide

User forum

0 messages

Sort by: