- March 23, 2026
Critical Vulnerability in Oracle Identity Manager and Web Services Manager (CVE-2026-21992)
Oracle has released an emergency out-of-band patch for a critical remote code execution vulnerability affecting Oracle Identity Manager (OIM) and Oracle Web Services Manager (OWSM). The vulnerability is tracked as CVE-2026-21992 and is rated at a critical CVSS score of 9.8.
Executive Summary
Oracle has released an emergency out-of-band patch for a critical remote code execution vulnerability affecting Oracle Identity Manager (OIM) and Oracle Web Services Manager (OWSM). The vulnerability is tracked as CVE-2026-21992 and is rated at a critical CVSS score of 9.8.
If successfully exploited, the flaw allows an unauthenticated attacker to execute code remotely over affected HTTP endpoints on the system without user interaction, which could result in a complete compromise of underlying hosting servers. These applications are commonly deployed on a network perimeter, and successful compromise by a threat actor can grant them initial access into an organization’s network.
Flaws within Oracle Identity Manager and Fusion Middleware have a recent, documented history of being targeted and weaponized by threat actors. Beazley Security assesses that CVE-2026-21992 is likely to be exploited soon and strongly recommends that affected organizations patch immediately.
Affected Systems or Products
Product | Affected Versions | Fixed Versions |
Oracle Identity Manager (OIM) | 12.2.1.4.0, 14.1.2.1.0 | Fusion Middleware KB878741 |
Oracle Web Services Manager (OWSM) | 12.2.1.4.0, 14.1.2.1.0 | Fusion Middleware KB878741 |
Affected versions patched via Oracle out-of-band update (KB878741). Please see the “Patches” section for more information.
Mitigations / Workarounds
Given recent targeting and active exploitation events against Oracle components by Ransomware operators, patching is strongly encouraged. Oracle has released emergency patches to remediate this vulnerability, please see the “patches” section for more information.
If patching cannot be immediately applied, the following mitigations may temporarily reduce the risk of exposure:
If possible, restrict public network access to or consider temporary isolation of Oracle systems, especially those exposing OIM and WSM endpoints
Implement Web Application Firewall (WAF) rules to detect and block malicious or unexpected payloads targeting Oracle middleware endpoints
Monitor OIM and OWSM servers for unusual activity, including unexpected process executions and other outbound connections
Patches
Patches are available through Oracle’s Fusion Middleware Patch Availability Document (requires Oracle login) which provides step-by-step installation instructions tailored to supported versions.
For additional information, please see Oracle’s original security advisory.
Indicators of Compromise
Oracle has not confirmed active exploitation of CVE-2026-21992 or released any public indicators of compromise at the time of this advisory. Given the history of Oracle Identity Manager vulnerabilities being targeted, defenders can monitor for the following indicators of attack:
Unusual HTTP/HTTPS POST requests to Oracle middleware endpoints
Unexpected access attempts to oim or wsm resource paths
Unexpected process execution on Oracle application servers
Abnormal outbound network connections originating from affected servers
Technical Details
The vulnerability in Oracle Identity Manager and Oracle Web Services Manager products is being tracked as CVE-2026-21992 and classified by Oracle as “remotely exploitable without authentication”. If exploited, the flaw allows unauthenticated attackers with network access to compromise Oracle Identity Manager and Oracle Web Services Manager via HTTP, potentially resulting in full system compromise.
Oracle has released limited technical details about the flaw at the time of this advisory. Although exploit details have not been publicly disclosed, the affected components (OIM and OWSM) are commonly exposed through web accessible middleware endpoints. NIST has assessed the vulnerability as “easily” exploitable, indicating that the flaw may not require sophistication to compromise.
Beazley Security Labs cannot confirm the validity of a publicly referenced exploit posted on GitHub at the time of this writing, but a purported PoC was observed for sale at approximately $2.5k USD given current exchange rates. A seemingly related vulnerability (CVE-2025-61757) stemmed from insufficient authentication protections within Oracle Identity Manager in October 2025 and was quickly confirmed as exploited in the wild after disclosure.
Given the severity of this vulnerability, potential for exploitation, and historical targeting and weaponization of similar flaws discovered in Oracle, Beazley Security strongly recommends that organizations apply the available patches as soon as possible.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.