ORACLE has fixed a critical vulnerability in Identity Manager, tracked as CVE-2026-21992, which allows unauthenticated remote code execution over HTTP. The flaw enables an unauthenticated attacker to take control of Oracle Identity Manager and Oracle Web Services Manager, risking a full system takeover with severe impact on data and availability. The vulnerability affects Identity Manager and Web Services Manager versions 12.2.1[.]4.0 and 14.1.2[.]1.0 and has a CVSS score of 9.8.
Oracle notes that the issue is remotely exploitable without authentication and that the vulnerability is “easily exploitable”; however, Oracle did not reveal whether it has been exploited in the wild. According to Oracle Critical Patch Update Advisory – October 2025, the vendor addressed the flaw with security updates, and customers are urged to apply the updates or mitigations as soon as possible and to remain on actively-supported versions.
The article also cites research indicating pre-patch exploitation attempts observed in late 2025, but the primary guidance is to apply the patch promptly.