Oracle Release Patch forRCE Flaw in Identity Manager and Web Services Manager
In a wake-up call for enterprises relying on Oracle’s identity and web services tools, Oracle has issued a high-severity Security Alert for CVE-2026-21992.
This vulnerability strikes Oracle Identity Manager and Oracle Web Services Manager, allowing attackers to execute code remotely without needing a username or password. Disclosed on March 19, 2026, with a revision on March 20, the flaw carries a near-perfect CVSS v3.1 base score of 9.8/10, marking it as one of the most dangerous patches in recent Oracle advisories.
Imagine a hacker scanning the internet for exposed Oracle services. With this bug, they can strike over HTTP (and HTTPS) from anywhere on the network. No authentication required, low complexity, and no user interaction needed the Risk Matrix paints a nightmare scenario.
Successful exploitation results in significant impacts on confidentiality, integrity, and availability, potentially allowing attackers to steal data, alter configurations, or crash systems entirely.
The vulnerability affects Oracle Identity Manager (versions 12.2.1.4.0 and 14.1.2.1.0) via its REST Web Services and Oracle Web Services Manager (same versions) through Web Services Security.
Both fall under Oracle Fusion Middleware, a cornerstone for secure identity management and API gateways in many Fortune 500 setups. Oracle warns that older, unsupported versions are likely vulnerable as well, urging upgrades to the Premier or Extended Support phases per its Lifetime Support Policy.
| Affected Product | Versions | Component | CVSS 3.1 Score | Attack Vector | Key Risks |
|---|---|---|---|---|---|
| Oracle Identity Manager | 12.2.1.4.0, 14.1.2.1.0 | REST Web Services | 9.8 | Network | RCE, High CIA Impact |
| Oracle Web Services Manager | 12.2.1.4.0, 14.1.2.1.0 | Web Services Security | 9.8 | Network | RCE, High CIA Impact |
Oracle urges applying patches ASAP. Access them via the official Security Alert page or Fusion Middleware support doc (KB878741). Patches align with the Software Error Correction Support Policy (My Oracle Support Note KB65129). For full details, check the verbose Risk Matrix or CSAF JSON.
No exploits in the wild yet, but the unauthenticated RCE nature screams “wormable.” Security teams should scan for exposed instances using tools such as Shodan or Nuclei templates, once available, and enforce network segmentation.
This alert underscores Oracle Fusion Middleware’s attack surface in hybrid cloud environments. With a remote exploit without auth, it’s prime for supply-chain attacks or initial access, as outlined in MITRE ATT&CK’s Execution (TA0002) tactics. Organizations using these for zero-trust identity should prioritize patching over weekend scans.
Site: cybersecuritypath.com
About the Author
