Oracle Patches Critical CVE-2026-21992 Enabling Unauthenticated RCE in Identity Manager

Oracle has put out security updates to fix a serious security hole in Identity Manager and Web Services Manager that could be used to run code on a remote computer This article explores oracle security updates. . The CVSS score for the vulnerability, which is tracked as CVE-2026-21992, is 9.8 out of 10.0.

Oracle said in an advisory, "This vulnerability can be exploited remotely without authentication."

"This vulnerability could lead to remote code execution if it is successfully exploited." The following versions of Oracle Identity Manager are affected by CVE-2026-21992: 12.2.1.4.0 and 14.1.2.1.0. Versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Web Services Manager The NIST National Vulnerability Database (NVD) says that the flaw is "easily exploitable" and could let an attacker who isn't logged in to the network through HTTP get into Oracle Identity Manager and Oracle Web Services Manager.

This can then lead to the successful takeover of instances that are weak. Oracle does not say that the vulnerability is being used in the wild. The tech giant has, however, told customers to apply the update right away for the best protection. The U.S.

The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61757 (CVSS score: 9.8), a flaw in Oracle Identity Manager that allows remote code execution without authentication, to the Known Exploited Vulnerabilities (KEV) catalog because there is evidence that it is being actively exploited.