CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical unauthenticated RCE vulnerability in Oracle Identity Manager and Web Services Manager patched

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Oracle released an emergency security update addressing CVE-2026-21992, a critical unauthenticated remote code execution (RCE) vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager. The flaw, with a CVSS v3.1 score of 9.8, allows remote exploitation over HTTP without authentication or user interaction, posing significant risk to exposed enterprise systems. Affected versions include Oracle Identity Manager 12.2.1.4.0, 14.1.2.1.0, and Oracle Web Services Manager 12.2.1.4.0, 14.1.2.1.0. Oracle strongly recommends immediate patching due to the vulnerability's low attack complexity and potential for widespread exploitation. The NIST NVD characterizes the flaw as "easily exploitable" and warns it may lead to full compromise of susceptible instances. As of this update, Oracle has not observed active exploitation of CVE-2026-21992 in the wild, though CISA previously added a similar Oracle Identity Manager pre-authenticated RCE flaw (CVE-2025-61757, CVSS 9.8) to its Known Exploited Vulnerabilities (KEV) catalog in November 2025, underscoring the pattern of high-risk, pre-auth RCE flaws in these products.

Timeline

  1. 20.03.2026 20:48 2 articles · 1d ago

    Emergency patch released for CVE-2026-21992 in Oracle Identity Manager and Web Services Manager

    Oracle pushed out-of-band security updates to address CVE-2026-21992, a critical unauthenticated RCE vulnerability in Oracle Identity Manager and Oracle Web Services Manager. The flaw, scored 9.8 on the CVSS v3.1 scale, enables remote exploitation over HTTP without authentication or user interaction. Affected versions include Oracle Identity Manager 12.2.1.4.0, 14.1.2.1.0 and Oracle Web Services Manager 12.2.1.4.0, 14.1.2.1.0. NIST’s NVD describes the issue as "easily exploitable" and warns it may allow full compromise of susceptible instances. Oracle has not observed active exploitation in the wild as of this update, though prior KEV inclusion for a similar Oracle Identity Manager flaw (CVE-2025-61757) underscores the ongoing risk profile of these products.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Oracle Identity Manager RCE Flaw CVE-2025-61757 Exploited in Attacks

CISA has warned that a pre-authentication remote code execution (RCE) flaw in Oracle Identity Manager, tracked as CVE-2025-61757, is being actively exploited in attacks. The vulnerability stems from an authentication bypass in the REST APIs, allowing attackers to execute malicious code. The flaw was patched by Oracle in October 2025, but evidence suggests it may have been exploited as early as August 30. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch it by December 12. Researchers from Searchlight Cyber discovered the flaw, describing it as trivial and easily exploitable. Multiple IP addresses have been observed scanning for the vulnerability, all using the same user agent. The flaw involves gaining access to a Groovy script compilation endpoint to execute malicious code. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Identity Manager. Attackers can manipulate authentication flows, escalate privileges, and move laterally across an organization's core systems. The IP addresses 89.238.132[.]76, 185.245.82[.]81, and 138.199.29[.]153 were observed scanning for the vulnerability. The flaw was revealed by Searchlight Cyber on November 20 and added to CISA's KEV catalog on November 21. The vulnerability lies in the REST WebServices component of Oracle Identity Manager and has a CVSS severity score of 9.8. The flaw was discovered during an investigation of a breach affecting Oracle Cloud's login service, where a threat actor exploited an older vulnerability, CVE-2021-35587.

Open in new tab

Unauthenticated access vulnerability in Oracle E-Business Suite Configurator

A critical vulnerability in Oracle E-Business Suite (EBS) allows unauthenticated attackers to access sensitive data via HTTP. The flaw, CVE-2025-61884, affects versions 12.2.3 through 12.2.14 and has a CVSS score of 7.5. CISA has confirmed that the vulnerability is being exploited in attacks and has added it to its Known Exploited Vulnerabilities catalog. Oracle has issued an emergency security update and patch, but exploitation in the wild has been reported. The vulnerability is in the Runtime UI component and could lead to unauthorized access to critical data. Oracle has silently fixed the vulnerability after it was actively exploited and a proof-of-concept exploit was leaked by the ShinyHunters extortion group. This development follows recent disclosures of zero-day exploitation in EBS software, attributed to a group with ties to the Clop ransomware group. The Clop group has been involved in major data theft campaigns targeting zero-days in Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer.

Open in new tab