Oracle has issued an out-of-band security update to address a critical remote code execution (RCE) vulnerability, tracked as CVE-2026-21992, affecting Oracle Identity Manager and Oracle Web Services Manager. The flaw carries a near-maximum CVSS score of 9.8 and allows unauthenticated attackers to execute code remotely over HTTP with low complexity. Because the exploit requires no user interaction, it poses a significant risk to exposed enterprise servers.
The vulnerability impacts versions 12.2.1.4.0 and 14.1.2.1.0 of both products. Oracle strongly urges administrators to apply the patches immediately via their Security Alert program, which is reserved for critical or high-risk security threats. While Oracle has declined to comment on whether the vulnerability has been exploited in the wild, the urgency of the out-of-schedule fix suggests a high priority for remediation.
Top comments (0)