ORACLE has released out-of-band patches for a critical vulnerability, CVE-2026-21992, affecting its Identity Manager and Web Services Manager products, part of the Fusion Middleware suite. The flaw can be exploited by an unauthenticated attacker to achieve remote code execution, and the vulnerability has a CVSS score of 9.8, according to Oracle’s advisory. The affected components are the REST WebServices component of Identity Manager and the Web Services Security component of Web Services Manager.
Oracle’s Integrated Cyber Center issued a security alert to draw attention to the patches, but the vendor has not clearly stated whether the vulnerability has been exploited in the wild. SecurityWeek notes that in November 2025 Oracle informed customers about another critical pre-authentication remote code execution vulnerability in Identity Manager and, while it did not mention exploitation at the time, others later confirmed it had been exploited as a zero-day.