Visualização normal

Antes de ontemStream principal
  • ✇Firewall Daily – The Cyber Express
  • Oracle Issues Emergency Patch for Critical Flaw Enabling Remote Code Execution Ashish Khaitan
    Oracle has released an emergency out‑of‑band patch to address a critical vulnerability, tracked as CVE‑2026‑21992, that affects two core enterprise products: Oracle Identity Manager and Oracle Web Services Manager. The flaw, disclosed on March 19, 2026, carries a CVSS v3.1 base score of 9.8, placing it in the highest severity category and prompting an urgent advisory from the company’s Integrated Cyber Center (ICC).   The vulnerability is notable because it can be exploited without authentica
     
  • ↗️

Oracle Issues Emergency Patch for Critical Flaw Enabling Remote Code Execution

✇Firewall Daily – The Cyber Express
Por:Ashish Khaitan
24 de Março de 2026, 06:24

CVE‑2026‑21992 Oracle Identity Manager

Oracle has released an emergency out‑of‑band patch to address a critical vulnerability, tracked as CVE‑2026‑21992, that affects two core enterprise products: Oracle Identity Manager and Oracle Web Services Manager. The flaw, disclosed on March 19, 2026, carries a CVSS v3.1 base score of 9.8, placing it in the highest severity category and prompting an urgent advisory from the company’s Integrated Cyber Center (ICC).   The vulnerability is notable because it can be exploited without authentication, meaning an attacker with network access could trigger remote code execution on affected systems over standard HTTP, without valid login credentials. The advisory explicitly warns that successful exploitation “may result in remote code execution”. 

What’s Affected: Products, Versions, and Risk 

The vulnerability affects specific versions of two products within Oracle’s Fusion Middleware suite: 
  • Oracle Identity Manager, versions 12.2.1.4.0 and 14.1.2.1.0
  • Oracle Web Services Manager, versions 12.2.1.4.0 and 14.1.2.1.0
In Identity Manager, the vulnerability resides in the REST WebServices component of the product, while in Web Services Manager it impacts the Web Services Security module. An attacker who successfully exploits this flaw could potentially take full control of systems running these services, manipulating identity governance workflows or altering security policies for other applications and services.   According to Oracle’s advisory, the flaw’s low attack complexity and lack of authentication requirements increase the likelihood that opportunistic attackers could probe exposed systems and achieve remote code execution. For enterprises, this means that externally accessible instances of Identity Manager or Web Services Manager are particularly at risk until the patch is applied.  

Patch Release and Support Guidance 

Oracle delivered the fix via a Security Alert, an emergency update process used when a vulnerability is too severe to wait for the regular quarterly Critical Patch Update cycle. The company strongly recommends that customers apply the patches or mitigations provided in this alert “as soon as possible” and remain on supported versions of their products.   However, the patches are only available for versions currently under Premier Support or Extended Support. Systems running older or unsupported releases may not receive the update, which Oracle warns could leave those installations vulnerable unless they are upgraded to a supported version.  

Exploitation in the Wild: What’s Known 

To date, Oracle has not confirmed that the vulnerability has been actively exploited in real‑world attacks, and the advisory does not reference any specific incidents of active exploitation. The company declined to comment on this when asked by security outlets, leaving uncertainty for defensive teams about whether the vulnerability is already being targeted by threat actors. This lack of transparency is notable, especially given in recent history. In November 2025, Oracle released a patch for another critical unauthenticated remote code execution vulnerability in Oracle Identity Manager that was later confirmed by independent researchers to have been exploited as a zero‑day prior to the patch.  

Wider Security Context 

The significance of the advisory is heightened by recent attacks targeting Oracle products. For example, vulnerabilities in Oracle’s E‑Business Suite (EBS) were leveraged in a large‑scale data theft campaign affecting more than 100 organizations, though Oracle has not publicly tied specific CVEs to those incidents.   Security professionals warn that identity management infrastructure such as Oracle Identity Manager is often a high‑value target because it governs access across an enterprise. A full compromise of such systems could enable credential theft, privilege escalation, lateral movement, and broader network compromise. 
  • ✇Security Affairs
  • Oracle fixes critical RCE flaw CVE-2026-21992 in Identity Manager Pierluigi Paganini
    Oracle fixed a critical severity flaw, tracked as CVE-2026-21992, enabling unauthenticated remote code execution in Identity Manager. Oracle released security updates to address a critical vulnerability, tracked as CVE-2026-21992 (CVSS score of 9.8), affecting Identity Manager and Web Services Manager. The flaw lets unauthenticated attackers over HTTP take control of Oracle Identity Manager and Web Services Manager, risking full system compromise with severe impact on data and availabili
     
  • ↗️

Oracle fixes critical RCE flaw CVE-2026-21992 in Identity Manager

✇Security Affairs
Por:Pierluigi Paganini
22 de Março de 2026, 12:37

Oracle fixed a critical severity flaw, tracked as CVE-2026-21992, enabling unauthenticated remote code execution in Identity Manager.

Oracle released security updates to address a critical vulnerability, tracked as CVE-2026-21992 (CVSS score of 9.8), affecting Identity Manager and Web Services Manager.

The flaw lets unauthenticated attackers over HTTP take control of Oracle Identity Manager and Web Services Manager, risking full system compromise with severe impact on data and availability.

“This Security Alert addresses vulnerability CVE-2026-21992 in Oracle Identity Manager and Oracle Web Services Manager. This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution.” reads the advisory.

“Oracle strongly recommends that customers apply the updates or mitigations provided by this Security Alert as soon as possible. Oracle always recommends that customers remain on actively-supported versions and apply all Security Alerts and Critical Patch Update security patches without delay.”

The issue is labeled as “easily exploitable.”

The vulnerability impacts Oracle Web Services Manager and Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0.

Oracle did not reveal if the vulnerability was exploited in attacks in the wild.

In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an Oracle Fusion Middleware flaw, tracked as CVE-2025-61757  (CVSS score of 9.8), to its Known Exploited Vulnerabilities (KEV) catalog.

The vulnerability is a missing authentication for a critical function that can result in pre-authenticated remote code execution. The flaw is easily exploitable and allows an unauthenticated attacker with HTTP network access to compromise Identity Manager, enabling a full takeover of the system.

The flaw impacts versions 12.2.1.4.0 and 14.1.2.1.0. Oracle addressed the flaw with the release of Oracle Critical Patch Update Advisory – October 2025.

Adam Kues and Shubham Shah of Assetnote reported the vulnerability.

SANS researcher Johannes B. Ullrich recently reported that an analysis of his organization’s honeypot logs revealed multiple HTTP POST attempts between August 30 and September 9, 2025, targeting the Oracle Identity Manager endpoint associated with CVE-2025-61757. The scans originated from different IPs but used the same user agent, suggesting a single attacker. The 556-byte POST payloads indicate likely exploitation as a zero-day, weeks before Oracle released a patch. Attempts came from 89.238.132[.]76, 185.245.82[.]81, and 138.199.29[.]153.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Oracle Identity Manager)

❌
❌