Oracle Issues Emergency Patch for Critical Vulnerability in Identity Manager, Web Services Manager

Oracle released an emergency out-of-band security alert to address a remote code execution vulnerability affecting Oracle Identity Manager and Web Services Manager, part of Fusion Middleware. 

It's very rare for Oracle to release a patch outside of the standard quarterly Critical Patch Update cycle and usually means such a flaw is very close to being actively exploited.

The current vulnerability is tracked as CVE-2026-21992 (CVSS score 9.8) - A remote code execution vulnerability in the REST WebServices component of Oracle Identity Manager and the Web Services Security component of Oracle Web Services Manager. An unauthenticated attacker can exploit this flaw over the HTTP protocol. Successful exploitation allows the attacker to run arbitrary code on the host system with the privileges of the middleware service, leading to a complete system takeover without requiring any user interaction.

This flaw mirrors CVE-2025-61757, a previous authentication bypass in the same component that was widely targeted by threat actors. Oracle has not confirmed active exploitation of this specific new flaw, the historical targeting of Fusion Middleware makes it a high-priority threat for security teams.

Affected versions include:

• Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0
• Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0 when installed as part of the Oracle Fusion Middleware Infrastructure. 

Oracle notes that while older, unsupported versions were not tested, they are likely vulnerable and should be upgraded to supported releases to receive the necessary security fixes.

Oracle strongly recommends that administrators apply the provided security updates immediately to mitigate the risk of remote exploitation. 

Organizations should ensure that management interfaces for Fusion Middleware are not exposed to the public internet.