Particle.news
Download on the App Store
3 ARTICLES
·
4w ago

Oracle Issues Emergency Patch for Critical RCE in Identity Manager and Web Services Manager

Oracle urges immediate patching after releasing out-of-band fixes for a pre-authentication flaw in key Fusion Middleware components.

Overview

  • CVE-2026-21992 carries a CVSS score of 9.8 and enables unauthenticated remote code execution over HTTP or HTTPS.
  • The flaw affects the REST WebServices component in Oracle Identity Manager and the Web Services Security component in Oracle Web Services Manager.
  • Impacted versions include 12.2.1.4.0 and 14.1.2.1.0, and Oracle advises customers to apply updates or mitigations without delay and remain on supported releases.
  • Oracle has not confirmed in-the-wild exploitation for this vulnerability, though a similar Identity Manager flaw in 2025 was later added to CISA’s Known Exploited Vulnerabilities catalog.
  • Assetnote researchers Adam Kues and Shubham Shah reported the issue, and the National Vulnerability Database describes it as easily exploitable with potential for full system takeover.