Summary

Oracle has released security patches addressing a critical vulnerability, CVE-2026-21992, affecting Oracle Identity Manager and Oracle Web Services Manager. This vulnerability allows unauthenticated remote code execution (RCE), meaning that an attacker with network access to the exposed interface could gain control over the system without logging in.

CVE-2026-21992 is rated CVSS 9.8, classifying it as critical. Supported affected versions include 12.2.1.4.0 and 14.1.2.1.0. The vulnerability impacts REST WebServices in Oracle Identity Manager and the Web Services Security layer in Oracle Web Services Manager.

Affected Systems and/or Applications

Systems running Oracle Fusion Middleware that include these components may also be affected, even if the service is not separately exposed.

Technical Details

The vulnerability exists due to improper authentication in critical functions of REST WebServices (Oracle Identity Manager) and Web Services Security (Oracle Web Services Manager). This flaw allows attackers to send crafted requests to exposed endpoints, potentially executing arbitrary server-side code.

If the affected component runs with elevated privileges, exploitation could lead to:

• Execution of code in the context of the application service
• Lateral movement within the network
• Persistence and creation of hidden administrative accounts
• Compromise of identity management processes

Characteristics based on CVSS 3.1

• Network-based attack vector
• Low attack complexity
• No authentication required
• No user interaction required

Due to these factors, the vulnerability is highly likely to be exploited quickly once a public proof-of-concept is available. Previous incidents in the Oracle Fusion Middleware ecosystem demonstrate that similar pre-authentication vulnerabilities are actively targeted by ransomware groups, APT actors, and cybercriminals.

Mitigation

Patch Deployment

 
• Identify all instances of Oracle Identity Manager and Oracle Web Services Manager running versions 12.2.1.4.0 and 14.1.2.1.0
• Apply the security patches provided by Oracle immediately.
• Verify successful installation at both system and application levels.

Exposure Reduction

 
• Restrict public access to administrative panels and exposed endpoint
• Implement network segmentation and restrict HTTP/HTTPS traffic to trusted sources
• Deploy reverse proxies or Web Application Firewalls (WAF) with rules monitoring unusual REST/Web Services requests.
 

Monitoring and Detection

 
• Review server, reverse proxy, WAF, and EDR logs for abnormal HTTP requests targeting REST WebServices or Web Services Security endpoints.
• Monitor for application errors, JVM anomalies, unauthorized artifact deployments, new scheduled tasks, or unusual outbound connections.

Incident Response Preparations

 
• Audit privileged accounts, application secrets, and connections to dependent systems
• If compromise is suspected, rotate credentials, review configuration changes, and perform a full incident response, including memory and artifact analysis and persistence path identification.

What the Cyber Fusion Center is Doing

The CFC is monitoring the situation, and this advisory will be updated if required, or when more information is made available.

References

 
• Oracle Security Alert – CVE-2026-2
• NVD – CVE-2026-21992
• Security Affairs Article‍
• Oracle Critical Patch Update – Oct 2025

‍