Oracle published an out-of-band security alert for a critical vulnerability in Oracle Identity Manager and Oracle Web Services Manager, following in-the-wild exploitation of a related flaw in the same component in November 2025. Key takeaways: CVE-2026-21992 is a critical remote code execution vulnerability in Oracle Identity Manager and Oracle Web Services Manager with a CVSSv3 score of 9.8. The vulnerability is remotely exploitable without authentication, and Oracle issued an out-of-band security alert outside of its regular quarterly Critical Patch Update cycle. A related vulnerability in Oracle Identity Manager's REST WebServices component, CVE-2025-61757, was exploited in the wild and added to CISA's KEV catalog in November 2025. Background On March 19, Oracle published an out-of-band security alert for a critical vulnerability in two Oracle Fusion Middleware products: CVE Description CVSSv3 CVE-2026-21992 Oracle Fusion Middleware Remote Code Execution Vulnerability 9.8 Oracle rarely issues out-of-band security alerts, reserving them for vulnerabilities that warrant attention outside of its quarterly Critical Patch Update (CPU) cycle. The next scheduled CPU is April 2026. Analysis CVE-2026-21992 is a remote code execution vulnerability affecting two Oracle Fusion Middleware products: Oracle Identity Manager and Oracle Web Services Manager. An unauthenticated, remote attacker could exploit this vulnerability over HTTP to achieve code execution on a vulnerable system. The vulnerability has a CVSSv3 score of 9.8. The vulnerability affects different components in each product. In Oracle Identity Manager, the affected component is REST WebServices. In Oracle Web Services Manager, the affected component is Web Services Security. Out-of-band advisory signals elevated risk Oracle describes its Security Alerts as fixes "deemed too critical to wait for distribution in the next Critical Patch Update." Oracle has issued approximately 31 Security Alerts since 2010, averaging about two per year. The decision to release CVE-2026-21992 as an out-of-band Security Alert rather than waiting for the next quarterly CPU in April 2026 is significant. This is only the second out-of-band Security Alert Oracle has issued for Oracle Identity Manager. The first, CVE-2017-10151 , was a CVSS 10.0 default account vulnerability that allowed complete compromise of Identity Manager via an unauthenticated network attack. The urgency may be related to CVE-2025-61757 , a pre-authentication RCE in Oracle Identity Manager patched in Oracle’s October 2025 CPU and added to CISA's Known Exploited Vulnerabilities (KEV) catalog in November 2025. Researchers at Searchlight Cyber published details describing CVE-2025-61757 as an authentication bypass in Identity Manager's REST WebServices component, calling it "somewhat trivial and easily exploitable by threat actors." While CVE-2026-21992 affects the same product, component and versions, Oracle has not confirmed whether the two are related. Oracle has also not disclosed whether CVE-2026-21992 has been exploited in the wild. Historical exploitation of Oracle Fusion Middleware vulnerabilities Oracle Fusion Middleware has six vulnerabilities in CISA's KEV catalog. Oracle has 42 total entries across all products in the catalog. CVE Description Date Added CVE-2025-61757 Oracle Fusion Middleware Missing Authentication Vulnerability (Identity Manager) 2025-11-21 CVE-2021-35587 Oracle Fusion Middleware Access Manager Takeover Vulnerability 2022-11-28 CVE-2020-2551 Oracle Fusion Middleware WebLogic Server Vulnerability 2023-11-16 CVE-2012-1710 Oracle WebCenter Forms Recognition Vulnerability 2022-05-25 CVE-2012-0518 Oracle Application Server Single Sign-On Vulnerability 2022-03-28 CVE-2012-3152 Oracle Fusion Middleware Reports Developer Vulnerability 2021-11-03 Proof of concept At the time this blog post was published, there was no public proof-of-concept (PoC) available for CVE-2026-21992. Solution Oracle has released patches for the following affected products: Affected Products CVE Affected Versions Oracle Identity Manager CVE-2026-21992 12.2.1.4.0, 14.1.2.1.0 Oracle Web Services Manager CVE-2026-21992 12.2.1.4.0, 14.1.2.1.0 Patch details are available through the Patch Availability Document for Fusion Middleware . Identifying affected systems A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-21992 as they're released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline . Get more information Oracle Security Alert Advisory - CVE-2026-21992 Breaking Oracle's Identity Manager: Pre-Auth RCE (CVE-2025-61757) Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats. Learn more about Tenable One , the Exposure Management Platform for the modern attack surface.