Patch Now: Oracle's Fusion Middleware Has Critical RCE Flaw

VULNERABILITIES & THREATS APPLICATION SECURITY CYBERSECURITY OPERATIONS IDENTITY & ACCESS MANAGEMENT SECURITY NEWS Patch Now: Oracle's Fusion Middleware Has Critical RCE Flaw Attackers can execute arbitrary code without authentication if Oracle's Identity or Web Services Managers are exposed to the Web. Nate Nelson,Contributing Writer March 20, 2026 4 Min Read SOURCE: JEROME CID VIA ALAMY STOCK PHOTO Oracle broke its usual patch cycle this week to announce a critical vulnerability in its Fusion Middleware. On March 19, the enterprise software and cloud computing giant released a special security alert for the newly discovered issue, now labeled CVE-2026-21992. It affects the Oracle Identity Manager (OIM) and Oracle Web Services Manager (OWSM), and its severity is obvious at first glance, as it enables remote code execution (RCE) and requires no authentication to exploit.  In theory, attackers could use CVE-2026-21992 to manipulate the identities, roles, and policies an organization defines through OIM, useful for lateral movement and escalating privileges in those organizations' networks. They could also change or turn off security policies organizations define in OWSM, making other malicious cyber activity easier to pull off. And that's to say nothing of all the sensitive data they could steal, the services they could cut off, and the other creative commands they might utilize in the process. Related:'Claudy Day’ Trio of Flaws Exposes Claude Users to Data Theft So far, there's no publicly known evidence that it has been exploited in the wild, but if past is prelude, that's likely to change, and the blast radius could be significant. According to data from business intelligence aggregators Enlyft and Landbase, OIM is deployed at north of 1,000 organizations, mostly in the United States, and largely in IT and other tech industries. Notable is its popularity with large multinationals, like Walmart, Huawei, and ExxonMobil. A plurality of its customers fall into demographic categories like: employs more than 10,000 employees, earns more than $1 billion in annual revenue, etc. Critical RCE Bug in Oracle Fusion Middleware Oracle typically organizes software fixes into quarterly updates for customers. The exception to the rule is when vulnerabilities are discovered that are simply too serious and too urgent to wait. In the past decade and a half, Oracle has released specialized security alerts for such vulnerabilities just around 30 times. The debutante to the group has received a 9.8 out of 10 Common Vulnerability Scoring System (CVSS). It's an issue in the HTTP application programming interface (API) surface of Oracle's identity and Web services security stack; and according to the risk matrix published in Oracle's advisory, attacking it requires relatively little complexity. In many ways, CVE-2026-21992 resembles another recent OIM vulnerability that also earned a 9.8 CVSS score: CVE-2025-61757, first disclosed last October. Both affect OIM's REST WebServices component, affect the same software versions (12.2.1.4.0 and 14.1.2.1.0), and allow for RCE. For these reasons, Tenable senior staff research engineer Satnam Narang speculates that the new issue could possibly be related to the old. There's no evidence of this in Oracle's security advisory, however. Dark Reading reached out to Oracle to confirm whether the two might be related. Oracle declined to comment. Related:Fake PoCs, Misunderstood Risks Cause Cisco SD-WAN Chaos If CVE-2026-21992 does go the way of CVE-2025-61757, it won't be a good thing. Compared with other OIM vulnerabilities, researchers at Searchlight Cyber described the October bug as "somewhat trivial and easily exploitable," and indeed it was added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog the following month. That made it just the sixth-ever Fusion Middleware vulnerability to make the list, and the first one in three years. "If this one follows a similar path, it's likely that attackers are going to be able to exploit this pretty easily," Tenable's Narang says, predicting that they might already be preparing their attacks now. "If this is an exposed endpoint that attackers can access, and it doesn't veer too differently from the last one, there's a possibility that we will see some exploitations. I don't expect this to be widespread exploitation but, you know, exploitation is still exploitation." Related:Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical Large Organizations Have Patching Complications Considering the average size of Oracle's customers, CVE-2026-21992 may be of particular interest to big game hunters on the Dark Web. Organizational size and complexity can also complicate patching processes, in some cases. "It's a little bit more cumbersome depending on the size of the organization, and the footprint of the installed software. Those can definitely be issues that create more challenges for organizations," Narang says. "Every implementation is going to be different for each organization," he adds. "I think that's also why, over the years, we do see this [widely varying] time between patches becoming available and organizations patching. Sometimes it's within days, sometimes it's within months, because of patch management policies." He adds, "That's why known vulnerabilities are a problem across the board. And why we continue to see older vulnerabilities exploited months and even years later." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like VULNERABILITIES & THREATS Cursor Issue Paves Way for Credential-Stealing Attacks by Elizabeth Montalbano, Contributing Writer NOV 17, 2025 VULNERABILITIES & THREATS Cisco's Wave of Actively Exploited Zero-Day Bugs Targets Firewalls, IOS by Alexander Culafi SEP 25, 2025 VULNERABILITIES & THREATS 'Bring Your Own Installer' Attack Targets SentinelOne EDR by Alexander Culafi, Senior News Writer, Dark Reading MAY 07, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE