Oracle Patches Critical RCE Flaw in Identity Manager
▼ Summary
– Oracle has released an urgent patch for a critical vulnerability (CVE-2026-21992) in Oracle Identity Manager and Oracle Web Services Manager.
– The flaw is due to missing authentication for a critical function, allowing unauthenticated attackers to execute remote code.
– It specifically affects the REST WebServices component in Identity Manager and the Web Services Security component in Web Services Manager.
– The vulnerability impacts versions 12.2.1.4.0 and 14.1.2.1.0, with older unsupported versions also likely vulnerable.
– This flaw mirrors a previously exploited vulnerability (CVE-2025-61757) that was added to CISA’s Known Exploited Vulnerabilities catalog.
Oracle has issued an urgent security update to address a severe flaw, tracked as CVE-2026-21992, within its Oracle Identity Manager and Oracle Web Services Manager products. The company classified the vulnerability as critical and easily exploitable, advising administrators to implement the provided patches or mitigations immediately. While Oracle has not confirmed any active exploitation in the wild, the potential for compromise is high.
The core issue is a case of missing authentication for a critical function. In Oracle Identity Manager, which handles user provisioning and access management, the flaw resides in the REST WebServices component. For Oracle Web Services Manager, a security tool for protecting APIs, the vulnerability exists in the Web Services Security component. In both scenarios, an unauthenticated attacker can exploit the weakness over network protocols like HTTP and HTTPS. This can lead directly to remote code execution, granting the attacker full control over the affected system without requiring any interaction from a user.
The impacted software versions are 12.2.1.4.0 and 14.1.2.1.0 for both products. Oracle also indicated that older, unsupported releases are likely vulnerable, strongly recommending that customers upgrade to a supported version to receive security maintenance.
This new flaw bears a striking resemblance to a previously exploited vulnerability. In late 2025, a similar issue in Oracle Identity Manager, identified as CVE-2025-61757, was added to CISA’s Known Exploited Vulnerabilities catalog. That earlier flaw, also stemming from missing authentication, was patched in October 2025 after being reported by researchers at Assetnote / Searchlight Cyber. Their public technical analysis, released just before CISA’s alert, may have played a role in the discovery of this latest vulnerability, CVE-2026-21992.
Given the history of active exploitation for nearly identical weaknesses, organizations running these Oracle solutions must prioritize applying this critical patch without delay to prevent potential system takeover.
(Source: Help Net Security)
