Critical unauthenticated RCE vulnerability in Oracle Identity Manager and Web Services Manager patched

First reported

20.03.2026 20:48

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Oracle released an emergency security update addressing CVE-2026-21992, a critical unauthenticated remote code execution (RCE) vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager. The flaw, with a CVSS v3.1 score of 9.8, allows remote exploitation over HTTP without authentication or user interaction, posing significant risk to exposed enterprise systems. Affected versions include Oracle Identity Manager 12.2.1.4.0, 14.1.2.1.0, and Oracle Web Services Manager 12.2.1.4.0, 14.1.2.1.0. Oracle strongly recommends immediate patching due to the vulnerability's low attack complexity and potential for widespread exploitation.

Timeline

20.03.2026 20:48 1 articles · 2h ago

Emergency patch released for CVE-2026-21992 in Oracle Identity Manager and Web Services Manager
Oracle pushed out-of-band security updates to address CVE-2026-21992, a critical unauthenticated RCE vulnerability in Oracle Identity Manager and Oracle Web Services Manager. The flaw, scored 9.8 on the CVSS v3.1 scale, enables remote exploitation over HTTP without authentication or user interaction. Affected versions include Oracle Identity Manager 12.2.1.4.0, 14.1.2.1.0 and Oracle Web Services Manager 12.2.1.4.0, 14.1.2.1.0. Oracle strongly recommends immediate patching as the vulnerability poses significant risk to exposed enterprise systems.
Show sources

Oracle pushes emergency fix for critical Identity Manager RCE flaw — www.bleepingcomputer.com — 20.03.2026 20:48
Open in new tab

Information Snippets

CVE-2026-21992 is an unauthenticated RCE vulnerability in Oracle Identity Manager and Oracle Web Services Manager with a CVSS v3.1 score of 9.8.
First reported: 20.03.2026 20:48

1 source, 1 article
Show sources
- Oracle pushes emergency fix for critical Identity Manager RCE flaw — www.bleepingcomputer.com — 20.03.2026 20:48
The vulnerability is remotely exploitable over HTTP without requiring authentication, user interaction, or complex conditions, increasing the likelihood of exploitation.
First reported: 20.03.2026 20:48

1 source, 1 article
Show sources
- Oracle pushes emergency fix for critical Identity Manager RCE flaw — www.bleepingcomputer.com — 20.03.2026 20:48
Affected versions include Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0, as well as Oracle Web Services Manager 12.2.1.4.0 and 14.1.2.1.0.
First reported: 20.03.2026 20:48

1 source, 1 article
Show sources
- Oracle pushes emergency fix for critical Identity Manager RCE flaw — www.bleepingcomputer.com — 20.03.2026 20:48
Oracle issued an out-of-band security alert via its Security Alert program, which provides fixes for critical or actively exploited vulnerabilities outside regular patch cycles.
First reported: 20.03.2026 20:48

1 source, 1 article
Show sources
- Oracle pushes emergency fix for critical Identity Manager RCE flaw — www.bleepingcomputer.com — 20.03.2026 20:48
Patches are only provided for versions under Premier or Extended Support; unsupported versions may remain vulnerable.
First reported: 20.03.2026 20:48

1 source, 1 article
Show sources
- Oracle pushes emergency fix for critical Identity Manager RCE flaw — www.bleepingcomputer.com — 20.03.2026 20:48

Summary

Timeline

Emergency patch released for CVE-2026-21992 in Oracle Identity Manager and Web Services Manager

Information Snippets