Oracle has released a security update to address a critical security flaw affecting Identity Manager and Web Services Manager that could be used to achieve remote code execution.
Vulnerability, tracked as CVE-2026-21992Has a CVSS score of 9.8 out of a maximum of 10.0.
“This vulnerability could be exploited remotely without authentication,” Oracle said in an advisory. “If successfully exploited, this vulnerability could result in remote code execution.”
CVE-2026-21992 affects the following versions –
- Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0
- Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0
According to the description of the flaw in the NIST National Vulnerability Database (NVD), it is “readily exploitable” and could allow an unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. This may result in successful acquisition of sensitive instances.
Oracle makes no mention of the vulnerabilities being exploited in the wild. However, the tech giant has urged customers to apply the update without delay for optimal security.
In November 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61757 (CVSS score: 9.8), a previously authenticated remote code execution flaw affecting Oracle Identity Manager, to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
