Oracle Releases Emergency Patch for Critical Identity Manager Vulnerability

Oracle on Friday issued out-of-band updates to patch a critical vulnerability affecting its Identity Manager and Web Services Manager products. Oracle Identity Manager is an enterprise identity governance platform that automates user provisioning, deprovisioning, and access management across applications and systems. Oracle Web Services Manager is a policy-driven framework for managing and protecting web services. Oracle revealed that the products, part of the Fusion Middleware suite, are affected by CVE-2026-21992, a critical vulnerability that can be exploited by an unauthenticated attacker for remote code execution. According to Oracle’s advisory, the vulnerability has a CVSS score of 9.8 and it affects the REST WebServices component of Identity Manager and the Web Services Security component of Web Services Manager. “Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager,” reads the description of CVE-2026-21992 in the National Vulnerability Database. “Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager.” Oracle’s Integrated Cyber Center has published a security alert to draw organizations’ attention to the patches, but the vendor has not clearly stated whether the flaw has been exploited in the wild.  SecurityWeek has reached out to Oracle to find out whether the vulnerability has been leveraged in malicious attacks. It’s worth noting that it would not be the first time Oracle has released a patch for a zero-day without specifically telling customers that it has been exploited in the wild. In November 2025, the software giant informed customers about another critical pre-authentication remote code execution vulnerability in Identity Manager. The company did not mention exploitation, but others later confirmed that it had been exploited as a zero-day. Vulnerabilities in Oracle’s E-Business Suite (EBS) were recently exploited in a massive data theft campaign that affected more than 100 organizations. The attacks involved the exploitation of zero-days, but Oracle has not clearly specified which flaws the attackers used.  Related: Oracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential Impact Related: Michelin Confirms Data Breach Linked to Oracle EBS Attack Related: Oracle’s First 2026 CPU Delivers 337 New Security Patches WRITTEN BY Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Aisuru and Kimwolf DDoS Botnets Disrupted in International Operation Marquis Data Breach Affects 672,000 Individuals CISA Warns of Attacks Exploiting Recent SharePoint Vulnerability Cisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware Attacks Iranian Hackers Likely Used Malware-Stolen Credentials in Stryker Breach Researcher Discovers 4th WhatsApp View Once Bypass; Meta Won’t Patch UK Companies House Exposed Details of Millions of Firms  Google, Meta, Microsoft Among Signatories of Pact to Combat Scams Latest News Critical Quest KACE Vulnerability Potentially Exploited in Attacks In Other News: New Android Safeguards, Operation Alice, UK Toughens Cyber Reporting 3 Men Charged With Conspiring to Smuggle US Artificial Intelligence to China Eclypsium Raises $25 Million for Device Supply Chain Security US Confirms Handala Link to Iran Government Amid Takedown of Hackers’ Sites Cape Raises $100 Million for Protection Against Cellular Security Threats Navia Data Breach Impacts 2.7 Million Thousands of Magento Sites Hit in Ongoing Defacement Campaign Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move eSentire has named James C. Foster as Chief Executive Officer. Green Impact Exchange has appointed John Visneski as Chief Information Security Officer. Kai has named Alfredo Hickman as Chief Information Security Officer. More People On The Move Expert Insights The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat As Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How To Eliminate The Technical Debt Of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Email