**Oracle** has released an out-of-band security update to remediate a critical unauthenticated remote code execution vulnerability in **Identity Manager** and **Web Services Manager**, identified as **CVE-2026-21992**. ### Impacted Products **Oracle Identity Manager** is a key solution for managing identities and access across enterprise environments. **Oracle Web Services Manager** provides security and management controls for web services. ### Vulnerability Details According to the security advisory released, **Oracle** is strongly urging customers to apply the provided patches immediately. "This Security Alert addresses vulnerability **CVE-2026-21992** in **Oracle Identity Manager** and **Oracle Web Services Manager**. This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution," states the [security advisory](https://www.oracle.com/security-alerts/alert-cve-2026-21992.html). "Oracle strongly recommends that customers apply the updates or mitigations provided by this Security Alert as soon as possible. Oracle always recommends that customers remain on actively-supported versions and apply all Security Alerts and Critical Patch Update security patches without delay." **CVE-2026-21992** has a CVSS v3.1 severity score of 9.8, indicating its critical nature. The vulnerability affects **Oracle Identity Manager** versions 12.2.1.4.0 and 14.1.2.1.0, and **Oracle Web Services Manager** versions 12.2.1.4.0 and 14.1.2.1.0. ### Technical Analysis **Oracle** reports that the flaw is of low complexity, remotely exploitable over HTTP, and requires no authentication or user interaction. This combination of factors significantly increases the risk of exploitation, especially on internet-facing servers. ### Remediation The fix has been released through **Oracle's** [Security Alert program](https://www.oracle.com/corporate/security-practices/assurance/vulnerability/), which is designed to provide out-of-schedule fixes for critical or actively exploited vulnerabilities. However, **Oracle** notes that these patches are only available for versions under Premier or Extended Support, leaving older, unsupported versions potentially vulnerable. Currently, **Oracle** has not disclosed whether **CVE-2026-21992** has been actively exploited in the wild. In a separate [blog post](https://blogs.oracle.com/security/alert-cve-2026-21992) published today, **Oracle** reiterated the severity of **CVE-2026-21992** and advised customers to carefully review the security alert for comprehensive details and patching instructions. <div> <a rel="noopener sponsored" href="https://hubs.li/Q043YRMg0"><img alt="tines" src="https://www.bleepstatic.com/c/p/red-report.jpg"></a> <div> <h2><a rel="noopener sponsored" href="https://hubs.li/Q043YRMg0">Red Report 2026: Why Ransomware Encryption Dropped 38%</a></h2> <p>Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.</p> <p>Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.</p> </div> </div>