Oracle has issued an emergency out-of-band Security Alert for CVE-2026-21992 — a critical unauthenticated remote code execution vulnerability in Oracle Identity Manager and Oracle Web Services Manager carrying a CVSS score of 9.8. The patch was released on March 19, 2026, outside of Oracle's regular quarterly Critical Patch Update cycle — a signal Oracle reserves for vulnerabilities it deems too severe to wait for scheduled release. The flaw requires no credentials, no user interaction, and only HTTP network access to exploit. A successful attack results in full remote code execution on the target server. Oracle is strongly urging all customers to apply the patch immediately. The decision carries particular urgency given that CVE-2025-61757 — a nearly identical vulnerability in the same component of the same product — was actively exploited in the wild and added to CISA's Known Exploited Vulnerabilities catalog in November 2025.
Affected products
- ·Oracle Identity Manager 12.2.1.4.0 — REST WebServices component
- ·Oracle Identity Manager 14.1.2.1.0 — REST WebServices component
- ·Oracle Web Services Manager 12.2.1.4.0 — Web Services Security component
- ·Oracle Web Services Manager 14.1.2.1.0 — Web Services Security component
- ·Older unsupported versions — not tested but likely affected per Oracle warning
How to Fix
Step-by-step remediation
Oracle has released the patch via its Security Alert program. The patch documentation reference is KB878741 under Fusion Middleware, covering both Oracle Identity Manager and Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0. Access the patch through Oracle Support at support.oracle.com. Patches are provided only for versions under Premier Support or Extended Support per Oracle's Lifetime Support Policy — organisations on unsupported end-of-life versions must upgrade to a supported release before the patch can be applied. As an interim measure before patching, restrict HTTP and HTTPS access to the REST WebServices and Web Services Security endpoints at the network perimeter. These endpoints should not be exposed to untrusted networks under any circumstances, patched or not. After applying the patch, conduct a retrospective log review of authentication attempts and unusual HTTP requests to OIM REST endpoints going back to at least November 2025 — the period when CVE-2025-61757 was actively exploited in the same component.
What happened
CVE-2026-21992 affects two Oracle Fusion Middleware products that are central to enterprise identity and access management infrastructure. Oracle Identity Manager is used by large organisations to manage user identities, roles, access policies, and provisioning across enterprise systems — it is effectively the system that controls who has access to what across an organisation's entire technology stack. Oracle Web Services Manager provides the security and policy management layer for web services communications across Oracle Fusion Middleware deployments. A vulnerability in either product is high-value for attackers. In Oracle Identity Manager, the affected component is the REST WebServices interface. In Oracle Web Services Manager, the affected component is Web Services Security. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — network accessible, low attack complexity, no privileges required, no user interaction, high impact across all three security categories. An attacker needs only HTTP access to an exposed endpoint and the ability to send a crafted network packet.
Real-World Impact
The implications of a successful exploit against Oracle Identity Manager are particularly severe because of what the product controls. An attacker who achieves RCE on an OIM server can manipulate the identities, roles, and access policies that govern the entire organisation — creating privileged accounts, escalating their own access, disabling security policies, and moving laterally across every system OIM manages. Against Oracle Web Services Manager, exploitation enables disabling or modifying the security policies governing web services communications — creating pathways for further attacks across the middleware stack. Oracle's customer base for these products skews heavily toward large enterprises, financial institutions, government agencies, and multinational corporations — exactly the organisations that ransomware groups and nation-state actors categorise as high-value targets. Oracle has issued only approximately 31 out-of-band Security Alerts across its entire history since 2010, averaging roughly two per year. The decision to release CVE-2026-21992 outside the quarterly cycle is itself a signal of severity. The context of CVE-2025-61757 — described by researchers as "somewhat trivial and easily exploitable" before it was actively exploited and added to CISA's KEV catalog — makes the urgency of patching CVE-2026-21992 even more acute. Both vulnerabilities affect the same product, the same component, and the same versions.
Technical Details
🛡️ Prevention Tips
Oracle Fusion Middleware components should never have their management and REST API endpoints exposed directly to the internet. Network segmentation, perimeter firewall rules, and VPN-gated access for all administrative interfaces are baseline controls that significantly reduce the exploitability of vulnerabilities like CVE-2026-21992. The pattern of two critical CVSS 9.8 vulnerabilities in the same Oracle Identity Manager REST WebServices component within five months — with the first one actively exploited — is a signal that this attack surface is actively being researched by threat actors. Organisations running OIM should treat it as a high-priority target and ensure their patch management processes can deliver emergency patches within hours for out-of-band security alerts, not days or weeks.
FAQs
What is Oracle Identity Manager and why does this matter to my organisation?
Oracle Identity Manager is the system many large enterprises use to manage who has access to what across their entire technology stack — creating user accounts, assigning roles, enforcing access policies, and managing provisioning across connected systems. A successful exploit gives an attacker the ability to manipulate all of that — creating privileged accounts, disabling policies, and moving laterally across every system OIM controls.
Is this being actively exploited right now?
Oracle has not confirmed active exploitation of CVE-2026-21992. However CVE-2025-61757 — a nearly identical vulnerability in the exact same component and versions — was actively exploited and added to CISA's KEV catalog in November 2025. That precedent makes the risk of exploitation for CVE-2026-21992 significantly elevated, particularly as no PoC has been published yet but technical details are sufficient for skilled attackers to develop one.
What does "out-of-band Security Alert" mean and why does it matter?
Oracle normally releases security patches quarterly through its Critical Patch Update cycle. An out-of-band Security Alert means Oracle judged the vulnerability too severe to wait for the next scheduled release. Oracle has only issued approximately 31 such alerts across its entire history since 2010 — roughly two per year. This designation is a strong signal of severity and urgency.
Read Next
wordpress · cms
Critical WordPress Authentication Bypass Lets Attackers Take Over Any Site — Patch Now
cve 2026 32746 · telnetd
CVE-2026-32746: Critical Unpatched Telnetd Flaw Allows Unauthenticated Root RCE via Port 23 — No Patch Until April 2026
cve 2026 3055 · cve 2026 4368
CVE-2026-3055: Citrix NetScaler Critical Flaw Leaks Sensitive Memory — Patch Immediately Before Exploitation Begins
php webshell · cookie controlled
Microsoft Exposes Cookie-Controlled PHP Web Shells That Resurrect Themselves via Cron — A New Stealthy Linux Persistence Technique
freepbx · voip