Full Report
Oracle has released an out-of-band security update to fix a critical unauthenticated remote code execution vulnerability in Identity Manager and Web Services Manager tracked as CVE-2026-21992. [...]
Analysis Summary
# Vulnerability: Critical Unauthenticated RCE in Oracle Identity Manager
## CVE Details
- **CVE ID**: CVE-2026-21992
- **CVSS Score**: 9.8 (Critical)
- **CWE**: Not explicitly listed (suggests Improper Input Validation or Deserialization leading to RCE)
## Affected Systems
- **Products**: Oracle Identity Manager (OIM) and Oracle Web Services Manager (OWSM)
- **Versions**:
- 12.2.1.4.0
- 14.1.2.1.0
- **Configurations**: Systems running under Premier or Extended Support; older unsupported versions are likely vulnerable but not explicitly addressed in the patch release.
## Vulnerability Description
CVE-2026-21992 is a critical security flaw that allows an unauthenticated attacker to execute arbitrary code on the host server remotely. The vulnerability exists within the way the application handles specific HTTP requests. Because Oracle Identity Manager manages enterprise-wide access and identities, a compromise of this service provides an attacker with high-level privileges within the target infrastructure.
## Exploitation
- **Status**: Not confirmed as exploited in the wild (awaiting vendor confirmation); no PoC currently public.
- **Complexity**: Low
- **Attack Vector**: Network (Remotely exploitable over HTTP)
- **User Interaction**: None Required
- **Authentication**: None Required (Unauthenticated)
## Impact
- **Confidentiality**: High
- **Integrity**: High
- **Availability**: High
- **Total Impact**: Full system compromise and remote code execution (RCE).
## Remediation
### Patches
Oracle has released out-of-band security updates through its Security Alert program.
- **Oracle Identity Manager**: Apply patches for versions 12.2.1.4.0 and 14.1.2.1.0 immediately.
- **Oracle Web Services Manager**: Apply patches for versions 12.2.1.4.0 and 14.1.2.1.0 immediately.
### Workarounds
- Oracle "strongly recommends" applying the updates or mitigations provided in the security alert.
- General mitigation involves restricting HTTP/HTTPS access to affected management consoles to internal, trusted networks only.
## Detection
- **Indicators of Compromise**: Monitor web server logs for unusual HTTP requests targeting Identity Manager or Web Services Manager endpoints, specifically those originating from unknown external IPs.
- **Detection methods**: Security teams should scan for the specific vulnerable versions (12.2.1.4.0 and 14.1.2.1.0) and verify if the March 2026 Out-of-Band patch has been applied.
## References
- Oracle Security Alert Advisory: hxxps[://]www[.]oracle[.]com/security-alerts/alert-cve-2026-21992[.]html
- Oracle Security Blog: hxxps[://]blogs[.]oracle[.]com/security/alert-cve-2026-21992
- Vulnerability Assurance Program: hxxps[://]www[.]oracle[.]com/corporate/security-practices/assurance/vulnerability/