167/69 Tuesday, March 24, 2026
Oracle has released security updates to address a critical vulnerability tracked as CVE-2026-21992 (CVSS score: 9.8), affecting Oracle Identity Manager and Oracle Web Services Manager. The flaw allows unauthenticated attackers to exploit the systems remotely over HTTP, potentially leading to Remote Code Execution (RCE). Successful exploitation could result in full system compromise, impacting the confidentiality, integrity, and availability of affected systems.
Oracle classified this vulnerability as “easily exploitable” and strongly recommends that users apply the available patches or mitigation measures as soon as possible. The issue impacts versions 12.2.1.4.0 and 14.1.2.1.0 of both products. However, the company has not confirmed whether the vulnerability has been actively exploited in the wild.
In addition, there are related reports of a similar vulnerability in the Oracle Fusion Middleware family (CVE-2025-61757), where real-world exploitation attempts were observed via honeypot data from the SANS Institute. Attackers were seen sending crafted HTTP POST requests to exploit systems even before an official patch was released, highlighting the risk that such vulnerabilities could be leveraged as zero-day exploits. Organizations are therefore strongly advised to promptly update their systems and closely monitor security advisories to mitigate potential risks.