CVE-2026-21992: Critical Out-of-Band Oracle Identity Manager and Oracle Web Services Manager Remote Code Execution Vulnerability

Blog / Cyber Exposure Alerts Subscribe CVE-2026-21992: Critical Out-of-Band Oracle Identity Manager and Oracle Web Services Manager Remote Code Execution Vulnerability Satnam Narang March 20, 2026 4 Min Read Oracle published an out-of-band security alert for a critical vulnerability in Oracle Identity Manager and Oracle Web Services Manager, following in-the-wild exploitation of a related flaw in the same component in November 2025. Key takeaways: CVE-2026-21992 is a critical remote code execution vulnerability in Oracle Identity Manager and Oracle Web Services Manager with a CVSSv3 score of 9.8.   The vulnerability is remotely exploitable without authentication, and Oracle issued an out-of-band security alert outside of its regular quarterly Critical Patch Update cycle.   A related vulnerability in Oracle Identity Manager's REST WebServices component, CVE-2025-61757, was exploited in the wild and added to CISA's KEV catalog in November 2025. Background On March 19, Oracle published an out-of-band security alert for a critical vulnerability in two Oracle Fusion Middleware products: CVE Description CVSSv3 CVE-2026-21992 Oracle Fusion Middleware Remote Code Execution Vulnerability 9.8 Oracle rarely issues out-of-band security alerts, reserving them for vulnerabilities that warrant attention outside of its quarterly Critical Patch Update (CPU) cycle. The next scheduled CPU is April 2026. Analysis CVE-2026-21992 is a remote code execution vulnerability affecting two Oracle Fusion Middleware products: Oracle Identity Manager and Oracle Web Services Manager. An unauthenticated, remote attacker could exploit this vulnerability over HTTP to achieve code execution on a vulnerable system. The vulnerability has a CVSSv3 score of 9.8. The vulnerability affects different components in each product. In Oracle Identity Manager, the affected component is REST WebServices. In Oracle Web Services Manager, the affected component is Web Services Security. Out-of-band advisory signals elevated risk Oracle describes its Security Alerts as fixes "deemed too critical to wait for distribution in the next Critical Patch Update." Oracle has issued approximately 31 Security Alerts since 2010, averaging about two per year. The decision to release CVE-2026-21992 as an out-of-band Security Alert rather than waiting for the next quarterly CPU in April 2026 is significant. This is only the second out-of-band Security Alert Oracle has issued for Oracle Identity Manager. The first, CVE-2017-10151, was a CVSS 10.0 default account vulnerability that allowed complete compromise of Identity Manager via an unauthenticated network attack. The urgency may be related to CVE-2025-61757, a pre-authentication RCE in Oracle Identity Manager patched in Oracle’s October 2025 CPU and added to CISA's Known Exploited Vulnerabilities (KEV) catalog in November 2025. Researchers at Searchlight Cyber published details describing CVE-2025-61757 as an authentication bypass in Identity Manager's REST WebServices component, calling it "somewhat trivial and easily exploitable by threat actors." While CVE-2026-21992 affects the same product, component and versions, Oracle has not confirmed whether the two are related. Oracle has also not disclosed whether CVE-2026-21992 has been exploited in the wild. Historical exploitation of Oracle Fusion Middleware vulnerabilities Oracle Fusion Middleware has six vulnerabilities in CISA's KEV catalog. Oracle has 42 total entries across all products in the catalog. CVE Description Date Added CVE-2025-61757 Oracle Fusion Middleware Missing Authentication Vulnerability (Identity Manager) 2025-11-21 CVE-2021-35587 Oracle Fusion Middleware Access Manager Takeover Vulnerability 2022-11-28 CVE-2020-2551 Oracle Fusion Middleware WebLogic Server Vulnerability 2023-11-16 CVE-2012-1710 Oracle WebCenter Forms Recognition Vulnerability 2022-05-25 CVE-2012-0518 Oracle Application Server Single Sign-On Vulnerability 2022-03-28 CVE-2012-3152 Oracle Fusion Middleware Reports Developer Vulnerability 2021-11-03 Proof of concept At the time this blog post was published, there was no public proof-of-concept (PoC) available for CVE-2026-21992. Solution Oracle has released patches for the following affected products: Affected Products CVE Affected Versions Oracle Identity Manager CVE-2026-21992 12.2.1.4.0, 14.1.2.1.0 Oracle Web Services Manager CVE-2026-21992 12.2.1.4.0, 14.1.2.1.0 Patch details are available through the Patch Availability Document for Fusion Middleware. Identifying affected systems A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-21992 as they're released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline. Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets using the following query: Web Servers equals Oracle WebLogic Server   Get more information Oracle Security Alert Advisory - CVE-2026-21992 Breaking Oracle's Identity Manager: Pre-Auth RCE (CVE-2025-61757) Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats. Learn more about Tenable One, the Exposure Management Platform for the modern attack surface. Satnam Narang Senior Staff Research Engineer, Security Response Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast. Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda). Related articles March 17, 2026 FAQ on CVE-2026-21514: OLE bypass N-Day in Microsoft Word An N-day vulnerability in Microsoft Word exposes nearly 14 million assets. Attackers can exploit this flaw to bypass security prompts, enabling deployment of malware and establishing persistent access without triggering user warnings. Research Special Operations March 17, 2026 Operation Epic Fury: Why exposure data changes everything about Iran's cyber-kinetic campaign Iran's retaliatory campaign following Operation Epic Fury has collapsed the boundary between physical and digital warfare. Tenable's exposure data analysis across seven target countries reveals that the largest exploitable attack surface isn't the headline threat, it's a Microsoft Word N-day… Robert Huber March 17, 2026 How to prepare for NERC CIP compliance deadlines in 2026 and beyond Explore key cybersecurity requirements and implementation deadlines for electric power utilities included in the NERC CIP-003-9 standard for Low-Impact BES (Bulk Electric System) Cyber Systems, and how Tenable can help deliver the comprehensive visibility required to ensure compliance. Matt Tucker Exposure Management Vulnerability Management Tenable Attack Surface Management Tenable Lumin Tenable Nessus Tenable Nessus Network Monitor Tenable One Tenable Patch Management Tenable Security Center Tenable Security Center Plus Tenable Vulnerability Management Tenable Web App Scanning Cybersecurity news you can use Enter your email and never miss timely alerts and security guidance from the experts at Tenable. Email Address Submit