Oracle has issued an emergency out-of-band security alert for CVE-2026-21992, a critical unauthenticated remote code execution vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager. With a CVSS score of 9.8, this is about as severe as it gets.
What Is CVE-2026-21992?
The vulnerability exists in the REST WebServices component of Oracle Identity Manager and the Web Services Security component of Oracle Web Services Manager, both part of Oracle Fusion Middleware. An unauthenticated attacker with network access via HTTP can fully compromise the affected product. No user interaction is required.
Affected Versions
- Oracle Identity Manager: Versions 12.2.1.4.0 and 14.1.2.1.0
- Oracle Web Services Manager: Versions 12.2.1.4.0 and 14.1.2.1.0
Why This Matters
Oracle Identity Manager is the backbone of identity governance in many enterprises. A full takeover of this system means an attacker could create privileged accounts, modify access policies, exfiltrate identity data, and establish persistent backdoors across the organization. This is not a theoretical risk. A related vulnerability (CVE-2025-61757) in the same component was already exploited in the wild and added to CISA's Known Exploited Vulnerabilities catalog in November 2025.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Network-accessible, low complexity, no privileges required, no user interaction needed. Full impact on confidentiality, integrity, and availability.
Immediate Actions
- Apply Oracle's out-of-band patch immediately. Do not wait for the next quarterly CPU.
- If patching is not immediately possible, restrict network access to Oracle Identity Manager and Web Services Manager admin interfaces.
- Audit access logs for any unusual REST API calls to the Identity Manager endpoints.
- Review any accounts or policies created or modified in the past 30 days for signs of compromise.
- Consider network segmentation to limit blast radius if exploitation has already occurred.
The Xploitix Take
This CVE reinforces a pattern we see repeatedly: identity infrastructure is the highest-value target in any enterprise. When your identity management system is compromised, every access control downstream is compromised with it. If you run Oracle Fusion Middleware, treat this as a P0 incident and patch today.