{"id":345,"date":"2026-03-21T11:31:38","date_gmt":"2026-03-21T11:31:38","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=345"},"modified":"2026-03-21T11:31:38","modified_gmt":"2026-03-21T11:31:38","slug":"oracle-patches-critical-cve-2026-21992-enabling-unauthenticated-rce-in-identity-manager","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=345","title":{"rendered":"Oracle Patches Critical CVE-2026-21992 Enabling Unauthenticated RCE in Identity Manager"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Mar 21, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Threat Intelligence<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgxIh9aqIMPc6elNLcqZwmxGq0BHfA3NS2kkxawAr-H7SzPJKmvc7tXrykcm664TGFkJUIb_BmGpJV0CkEjIxVoRfTCrc8br5bi_TL93Nv_g7J_c9ccucZL4e55lp_zyywwBeAzDIoA1bnI95ELRLCbOyVf0WX0CGgGHLun2uQFKhqeMKf16nBOeJTO7O77\/s1700-e365\/oracle-flaw-hack.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Oracle has <a href=\"https:\/\/blogs.oracle.com\/security\/alert-cve-2026-21992\" rel=\"noopener\" target=\"_blank\">released<\/a> security updates to address a critical security flaw impacting Identity Manager and Web Services Manager that could be exploited to achieve remote code execution.<\/p>\n<p>The vulnerability, tracked as <strong>CVE-2026-21992<\/strong>, carries a CVSS score of 9.8 out of a maximum of 10.0.<\/p>\n<p>\u00abThis vulnerability is remotely exploitable without authentication,\u00bb Oracle <a href=\"https:\/\/www.oracle.com\/security-alerts\/alert-cve-2026-21992.html\" rel=\"noopener\" target=\"_blank\">said<\/a> in an advisory. \u00abIf successfully exploited, this vulnerability may result in remote code execution.\u00bb<\/p>\n<p>CVE-2026-21992 affects the following versions &#8211;<\/p>\n<ul>\n<li>Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0<\/li>\n<li>Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0<\/li>\n<\/ul>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fs-report-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjWQgUDT06NQu9vGMPC7BWROmJABTIWg058l7oGKD-v3ZchC8_66xjbclOE9koChsRf5CEKgqrXTVrne_00PdGokh3brhvF-g33I4FYYpTukrvuNQWXZOVAfon6-2axyRoVJ4uOrXPqRhxfZUaJWEm-K9esUS3ql8VSVWAKLqyfhHLgMSXhkMTkcOtGSX7R\/s728-e100\/fs-report-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>According to a <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-21992\" rel=\"noopener\" target=\"_blank\">description<\/a> of the flaw in the NIST National Vulnerability Database (NVD), it&#8217;s \u00abeasily exploitable\u00bb and could allow an unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. This, in turn, can result in the successful takeover of susceptible instances.<\/p>\n<p>Oracle makes no mention of the vulnerability being exploited in the wild. However, the tech giant has urged customers to apply the update without delay for optimal protection.<\/p>\n<p>In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61757 (CVSS score: 9.8), a pre-authenticated remote code execution flaw impacting Oracle Identity Manager, to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Mar 21, 2026Vulnerability \/ Threat Intelligence Oracle has released security updates to address a critical security flaw impacting Identity Manager and Web Services Manager that could be exploited to&hellip;<\/p>\n","protected":false},"author":1,"featured_media":346,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[58,814,524,85,473,813,57,316,725],"class_list":["post-345","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-critical","tag-cve202621992","tag-enabling","tag-identity","tag-manager","tag-oracle","tag-patches","tag-rce","tag-unauthenticated"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/345","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=345"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/345\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/346"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=345"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=345"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=345"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}