Critical Unauthenticated RCE in Oracle Identity Manager (CVE‑2026‑21992) Triggers Emergency Out‑of‑Band Patch
What It Is — Oracle disclosed a critical unauthenticated remote code execution (RCE) flaw in Oracle Identity Manager and Oracle Web Services Manager (CVE‑2026‑21992). The vulnerability scores 9.8 (CVSS v3.1) and can be exploited over HTTP without credentials or user interaction.
Exploitability — No public evidence of active exploitation; Oracle has not confirmed exploitation. The flaw is low‑complexity and fully remote, making it highly attractive for attackers once a vulnerable endpoint is exposed.
Affected Products — Oracle Identity Manager 12.2.1.4.0, 14.1.2.1.0; Oracle Web Services Manager 12.2.1.4.0, 14.1.2.1.0 (Premier or Extended Support versions only).
TPRM Impact — Identity and access management platforms are core to supply‑chain security; a breach could expose credentials, privilege assignments, and enable lateral movement into partner ecosystems. Organizations relying on Oracle’s IAM stack may inadvertently transmit compromised identities to downstream vendors.
Recommended Actions —
- Deploy the out‑of‑band security update immediately on all affected Oracle Identity Manager and Web Services Manager instances.
- Verify that all deployments run supported (Premier/Extended) versions; plan migration for legacy installations.
- Apply network‑level controls: restrict inbound HTTP access to IAM endpoints, enforce TLS, and monitor for anomalous execution patterns.
- Conduct a rapid risk assessment to identify any third‑party services that consume Oracle IAM data and notify those partners of the patch status.
Source: BleepingComputer