PT-2026-26538 · Oracle · Oracle Identity Manager+1

Publicado

2026-03-19

·

Atualizado

2026-05-18

·

CVE-2026-21992

CVSS v3.1

10

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0
Description A critical vulnerability exists in Oracle Identity Manager (component: REST WebServices) and Oracle Web Services Manager (component: Web Services Security) within Oracle Fusion Middleware. This flaw allows unauthenticated attackers with network access via HTTP to compromise these systems. Successful exploitation can lead to a complete takeover of Oracle Identity Manager and Oracle Web Services Manager. The vulnerability is remotely exploitable without authentication, enabling remote code execution. Reports indicate that this vulnerability, designated CVE-2026-21992, may already be exploited in the wild, with attackers gaining unauthenticated remote code execution and creating privileged accounts for lateral movement. The vulnerability has a CVSS score of 9.8.
Recommendations Apply the security updates released by Oracle to address CVE-2026-21992 for Oracle Identity Manager version 12.2.1.4.0. Apply the security updates released by Oracle to address CVE-2026-21992 for Oracle Identity Manager version 14.1.2.1.0. Apply the security updates released by Oracle to address CVE-2026-21992 for Oracle Web Services Manager version 12.2.1.4.0. Apply the security updates released by Oracle to address CVE-2026-21992 for Oracle Web Services Manager version 14.1.2.1.0.

Exploit

Correção

RCE

Missing Authentication

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

BDU:2026-03475
CVE-2026-21992

Produtos afetados

Oracle Identity Manager
Oracle Web Services Manager