Back to News
News

Oracle Patches Critical 9.8 Identity Manager RCE Flaw

CyberSecurityWaala 1 week ago Mar 21, 2026
Oracle Patches Critical 9.8 Identity Manager RCE Flaw

Oracle has released an out of band security update to fix a critical flaw in Oracle Identity Manager and Oracle Web Services Manager, both part of Oracle Fusion Middleware. Oracle said on March 19 that the bug, tracked as CVE-2026-21992, carries a CVSS score of 9.8 out of 10.0, which places it in the most severe range of vulnerabilities.

What Oracle Said

In its advisory, Oracle said, “This vulnerability is remotely exploitable without authentication” and added, “If successfully exploited, this vulnerability may result in remote code execution.”

In simple terms, that means an attacker may not need a username, password, or any prior access to abuse the flaw. The only requirement described by Oracle and the NIST National Vulnerability Database is network reachability, with the NVD saying the issue can be used over HTTP.

Affected Versions

The versions named by Oracle are Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0, along with Oracle Web Services Manager 12.2.1.4.0 and 14.1.2.1.0.

According to the NVD, the flaw is “easily exploitable” and could allow an unauthenticated attacker with network access to compromise affected systems. That kind of exposure is especially worrying because remote code execution can let an attacker run commands, install malware, steal data, or pivot deeper into a network if the vulnerable server is reachable.

Why This Matters

Oracle did not say in the advisory that CVE 2026 21992 has been used in real attacks so far, but the timing is notable.

In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency added a related Oracle Identity Manager flaw, CVE-2025-61757, to its Known Exploited Vulnerabilities catalog.

CISA said that earlier issue, which affected Oracle Identity Manager’s REST WebServices component, showed signs of active exploitation. The fact that Oracle is now issuing an out of band alert for another serious Identity Manager issue suggests defenders should treat this release as urgent rather than routine.

What Administrators Should Know

Oracle said the current problem affects two closely related products that often sit in enterprise environments handling identity and web service integration. That makes the impact potentially broad, especially for organizations that expose these systems to internal users, partners, or the public internet.

Because the flaw is unauthenticated and remotely reachable, Oracle’s warning is not limited to users who have seen suspicious activity already. The company is clearly signaling that customers should patch first and investigate later, rather than waiting for signs of compromise.

For administrators, the main takeaway from Oracle and NVD is straightforward. This is a high risk vulnerability, it does not require valid credentials, and it may allow full remote control if exploited.

Oracle urged customers to apply the update without delay, and the earlier CISA action on a related flaw shows why that advice matters. In environments where Identity Manager or Web Services Manager are exposed, even briefly delaying a patch can leave a serious opening for attackers.

#Cybersecurity #Oracle #Vulnerability #RemoteCodeExecution #IdentityManager #CVE_2026_21992

#CVE #Remote Code Execution #Zero Day