ORACLE has released security updates to address a critical flaw in Identity Manager and Web Services Manager, tracked as CVE-2026-21992, which carries a CVSS score of 9.8. The vulnerability is described as remotely exploitable without authentication and could result in remote code execution if successfully exploited. It affects Oracle Identity Manager versions 12.2.1[.]4.0 and 14.1.2[.]1.0, and Oracle Web Services Manager versions 12.2.1[.]4.0 and 14.1.2[.]1.0.
According to a description of the flaw in the NIST National Vulnerability Database (NVD), it is “easily exploitable” and could allow an unauthenticated attacker with network access via HTTP to compromise the affected products. Oracle has urged customers to apply the updates promptly for optimal protection, and there is no mention in the advisory of active exploitation in the wild.
In November 2025, CISA added CVE-2025-61757 to the KEV catalog, citing evidence of active exploitation, though that vulnerability is separate from CVE-2026-21992.