A critical security vulnerability (CVE-2026-21992) has been identified in Oracle Identity Manager and Oracle Web Services Manager that allows remote attackers to execute arbitrary code over the network without requiring authentication, making it particularly dangerous for exposed systems.

Affected Systems:

The following Oracle products and versions are affected:

• Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0

• Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0

Security Risks

Successful exploitation of this vulnerability could allow an attacker to remotely take control of affected systems without authentication or user interaction, potentially leading to full system compromise and unauthorized access to sensitive data.

Recommended Actions

The National Cyber Security Authority (NCSA) strongly recommends that system administrators to:

• Follow Oracle Security Alert Advisory - CVE-2026-21992 to lower the risk of potential exploits, protect systems, and ensure their security.

• Apply the required and latest security updates as soon as possible.

• Before updating or patching, please ensure that you have the latest backup that can easily be restored.

For further information and support, please contact NCSA by email at rwcsirt@ncsa.gov.rw or call us at 9009.

References

• Oracle Security Alert Advisory - CVE-2026-21992

• Oracle Releases Emergency Patch for Critical Identity Manager Vulnerability