INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Oracle Fixes RCE Flaw in Identity Manager

| 2026-03-22 15:37 CRITICAL MEDIUM
JSON
Executive Summary AI-generated
The vulnerability, tracked as CVE-2026-21992 in Oracle Identity Manager and Web Services Manager, poses a significant threat to organizations relying on these systems. This critical security flaw allows unauthenticated attackers to over HTTP take control of the affected software, potentially leading to remote code execution and compromising system integrity. The vulnerability has been identified by SANS researcher Johannes B. Ullrich, who reported multiple HTTP POST attempts targeting the Oracle Identity Manager endpoint associated with CVE-2025-61757 in his organization's honeypot logs between August 30 and September 9, 2025. This suggests that exploitation of this flaw could occur weeks before an official patch is released by Oracle.
Technical Mitigations AI-generated
* Implement a secure authentication mechanism, such as OAuth or JWT-based authentication, to ensure that only authenticated users can access sensitive data and systems. * Regularly update and patch operating systems, applications, and services to prevent exploitation of known vulnerabilities like CVE-2026-21992. * Use network segmentation and firewalls to limit the spread of malware and unauthorized access within an organization's network. * Conduct regular security audits and penetration testing to identify potential vulnerabilities and weaknesses in Oracle Identity Manager and Web Services Manager.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2025-61757CVE-2025-61757 CVE-2026-21992CVE-2026-21992
Target & Sectors
NORTH_AMERICA NORTH_AMERICA
Incident Timeline
September 9, 2025
Threat actors used a 556-byte POST payload to exploit a previously unknown zero-day vulnerability in Oracle Identity Manager.
organisation POST
The 556-byte POST payloads indicate likely exploitation as a zero-day, weeks before Oracle released a patch.
data_breach 556 byte
The 556-byte POST payloads indicate likely exploitation as a zero-day, weeks before Oracle released a patch.
organisation SecurityAffairs
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Oracle Identity Manager)
October 2025
Oracle addressed the flaw with the release of Oracle Critical Patch Update Advisory – October 2025.
organisation Oracle Critical Patch Update Advisory
Oracle  addressed  the flaw with the release of Oracle Critical Patch Update Advisory – October 2025.
November 2025
Threat actors used an Oracle Fusion Middleware flaw to target versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Identity Manager in November 2025.
attribution CVE-2025-61757
In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added  an Oracle Fusion Middleware flaw, tracked as  CVE-2025-61757   (CVSS score of 9.8), to its  Known Exploited Vulnerabilities (KEV) catalog .
In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61757 (CVSS score: 9.8), a pre-authenticated remote code execution flaw impacting Oracle Identity Manager, to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
tactic T1588.006 - Vulnerabilities
In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added  an Oracle Fusion Middleware flaw, tracked as  CVE-2025-61757   (CVSS score of 9.8), to its  Known Exploited Vulnerabilities (KEV) catalog .
In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61757 (CVSS score: 9.8), a pre-authenticated remote code execution flaw impacting Oracle Identity Manager, to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
attribution KEV
In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added  an Oracle Fusion Middleware flaw, tracked as  CVE-2025-61757   (CVSS score of 9.8), to its  Known Exploited Vulnerabilities (KEV) catalog .
In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61757 (CVSS score: 9.8), a pre-authenticated remote code execution flaw impacting Oracle Identity Manager, to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
vulnerability CVSS score of 9.8
In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added  an Oracle Fusion Middleware flaw, tracked as  CVE-2025-61757   (CVSS score of 9.8), to its  Known Exploited Vulnerabilities (KEV) catalog .
attribution Oracle Fusion Middleware
In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added  an Oracle Fusion Middleware flaw, tracked as  CVE-2025-61757   (CVSS score of 9.8), to its  Known Exploited Vulnerabilities (KEV) catalog .
attribution Known Exploited
In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added  an Oracle Fusion Middleware flaw, tracked as  CVE-2025-61757   (CVSS score of 9.8), to its  Known Exploited Vulnerabilities (KEV) catalog .
tactic Remote Code Execution
In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61757 (CVSS score: 9.8), a pre-authenticated remote code execution flaw impacting Oracle Identity Manager, to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
general_metric 9.8 group
In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61757 (CVSS score: 9.8), a pre-authenticated remote code execution flaw impacting Oracle Identity Manager, to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
attribution the Known Exploited
In November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61757 (CVSS score: 9.8), a pre-authenticated remote code execution flaw impacting Oracle Identity Manager, to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
infrastructure 12.2.1
The flaw impacts versions 12.2.1.4.0 and 14.1.2.1.0.
infrastructure 4.0
The flaw impacts versions 12.2.1.4.0 and 14.1.2.1.0.
infrastructure 14.1.2
The flaw impacts versions 12.2.1.4.0 and 14.1.2.1.0.
infrastructure 1.0
The flaw impacts versions 12.2.1.4.0 and 14.1.2.1.0.
2026-03-19
Threat actors used a vulnerability in Oracle's Identity Manager to gain unauthorized access.
March 19
Oracle released a security alert on March 19 to inform the public about a newly discovered critical Remote Code Execution (RCE) flaw in its Identity Manager software.
vulnerability CVE-2026-21992
On March 19, the enterprise software and cloud computing giant released a special security alert for the newly discovered issue, now labeled CVE-2026-21992.
2026-03-20
Threat actors exploited a previously unknown critical Remote Code Execution (RCE) vulnerability in Oracle's Identity Manager, identified as CVE-2026-21992.
vulnerability CVE-2026-21992
In a separate blog post published today, Oracle once again noted the severity of CVE-2026-21992 and warned customers to review the security alert for full details and patch information.
Mar 21, 2026
Threat actors used a known vulnerability in Oracle's Identity Manager to gain unauthorized access.
between August 30 and September 9, 2025
Threat actors used an exploit of a previously unknown vulnerability in Oracle Identity Manager to target the CVE-2025-61757 endpoint between August 30 and September 9, 2025.
organisation CVE-2025-61757
SANS researcher Johannes B. Ullrich recently  reported  that an analysis of his organization’s honeypot logs revealed multiple HTTP POST attempts between August 30 and September 9, 2025, targeting the Oracle Identity Manager endpoint associated with CVE-2025-61757.
2026-03-22
Oracle fixed a critical severity flaw, CVE-2026-21992.
organisation Oracle
Oracle has released an out-of-band security update to fix a critical unauthenticated remote code execution vulnerability in Identity Manager and Web Services Manager tracked as CVE-2026-21992.
Oracle released security updates to address a critical vulnerability, tracked as CVE-2026-21992 (CVSS score of 9.8), affecting Identity Manager and Web Services Manager.
In the past decade and a half, Oracle has released specialized security alerts for such vulnerabilities just around 30 times.
Oracle makes no mention of the vulnerability being exploited in the wild.
infrastructure 9.8
" The CVE-2026-21992 vulnerability has a CVSS v3.1 severity score of 9.8 and impacts Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0, as well as Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0.
Oracle released security updates to address a critical vulnerability, tracked as CVE-2026-21992 (CVSS score of 9.8), affecting Identity Manager and Web Services Manager.
infrastructure 12.2.1
" The CVE-2026-21992 vulnerability has a CVSS v3.1 severity score of 9.8 and impacts Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0, as well as Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0.
" CVE-2026-21992 affects the following versions - Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0
The vulnerability impacts Oracle Web Services Manager and Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0.
Both affect OIM's REST WebServices component, affect the same software versions (12.2.1.4.0 and 14.1.2.1.0), and allow for RCE.
infrastructure 4.0
" The CVE-2026-21992 vulnerability has a CVSS v3.1 severity score of 9.8 and impacts Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0, as well as Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0.
" CVE-2026-21992 affects the following versions - Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0
The vulnerability impacts Oracle Web Services Manager and Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0.
Both affect OIM's REST WebServices component, affect the same software versions (12.2.1.4.0 and 14.1.2.1.0), and allow for RCE.
infrastructure 14.1.2
" The CVE-2026-21992 vulnerability has a CVSS v3.1 severity score of 9.8 and impacts Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0, as well as Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0.
" CVE-2026-21992 affects the following versions - Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0
The vulnerability impacts Oracle Web Services Manager and Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0.
Both affect OIM's REST WebServices component, affect the same software versions (12.2.1.4.0 and 14.1.2.1.0), and allow for RCE.
infrastructure 1.0
" The CVE-2026-21992 vulnerability has a CVSS v3.1 severity score of 9.8 and impacts Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0, as well as Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0.
" CVE-2026-21992 affects the following versions - Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0
The vulnerability impacts Oracle Web Services Manager and Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0.
Both affect OIM's REST WebServices component, affect the same software versions (12.2.1.4.0 and 14.1.2.1.0), and allow for RCE.
organisation CVSS
" The CVE-2026-21992 vulnerability has a CVSS v3.1 severity score of 9.8 and impacts Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0, as well as Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0.
The vulnerability, tracked as CVE-2026-21992 , carries a CVSS score of 9.8 out of a maximum of 10.0.
organisation CVE-2025-61757
In many ways, CVE-2026-21992 resembles another recent OIM vulnerability that also earned a 9.8 CVSS score: CVE-2025-61757, first disclosed last October.
organisation CVE-2026
In many ways, CVE-2026-21992 resembles another recent OIM vulnerability that also earned a 9.8 CVSS score: CVE-2025-61757, first disclosed last October.
organisation Cisco Drops
" Related: Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical Large Organizations Have Patching Complications Considering the average size of Oracle's customers, CVE-2026-21992 may be of particular interest to big game hunters on the Dark Web. Organizational size and complexity can also complicate patching processes, in some cases.
victims 2 Critical Large Organizations
" Related: Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical Large Organizations Have Patching Complications Considering the average size of Oracle's customers, CVE-2026-21992 may be of particular interest to big game hunters on the Dark Web. Organizational size and complexity can also complicate patching processes, in some cases.
organisation Identity
Oracle fixes critical RCE flaw CVE-2026-21992 in Identity Manager.
Oracle pushes emergency fix for critical Identity Manager RCE flaw.
organisation RCE
Oracle fixes critical RCE flaw CVE-2026-21992 in Identity Manager.
organisation Oracle Patches Critical CVE-2026-21992
Oracle Patches Critical CVE-2026-21992 Enabling Unauthenticated RCE in Identity Manager.
organisation Oracle Identity
" CVE-2026-21992 affects the following versions - Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0
It affects the Oracle Identity Manager (OIM) and Oracle Web Services Manager (OWSM), and its severity is obvious at first glance, as it enables remote code execution (RCE) and requires no authentication to exploit.
Oracle Identity Manager is used for managing identities and access across an enterprise, while Oracle Web Services Manager provides security and management controls for web services.
The flaw lets unauthenticated attackers over HTTP take control of Oracle Identity Manager and Web Services Manager, risking full system compromise with severe impact on data and availability.
organisation OIM
It affects the Oracle Identity Manager (OIM) and Oracle Web Services Manager (OWSM), and its severity is obvious at first glance, as it enables remote code execution (RCE) and requires no authentication to exploit.
organisation OWSM
It affects the Oracle Identity Manager (OIM) and Oracle Web Services Manager (OWSM), and its severity is obvious at first glance, as it enables remote code execution (RCE) and requires no authentication to exploit.
organisation the NIST National Vulnerability Database
According to a description of the flaw in the NIST National Vulnerability Database (NVD), it's "easily exploitable" and could allow an unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager.
organisation NVD
According to a description of the flaw in the NIST National Vulnerability Database (NVD), it's "easily exploitable" and could allow an unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager.
organisation REST WebServices
Both affect OIM's REST WebServices component, affect the same software versions (12.2.1.4.0 and 14.1.2.1.0), and allow for RCE.
organisation Patch Update
Oracle always recommends that customers remain on actively-supported versions and apply all Security Alerts and Critical Patch Update security patches without delay.
Oracle always recommends that customers remain on actively-supported versions and apply all Security Alerts and Critical Patch Update security patches without delay.”
organisation BleepingComputer
Oracle has not disclosed whether the vulnerability has been exploited and declined to comment when BleepingComputer asked about its exploitation status.
organisation The Red Report 2026
The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
victims 1,000 organizations
According to data from business intelligence aggregators Enlyft and Landbase, OIM is deployed at north of 1,000 organizations, mostly in the United States, and largely in IT and other tech industries.
organisation Oracle's
Patch Now: Oracle's Fusion Middleware Has Critical RCE Flaw.
organisation Fusion Middleware Has Critical
Patch Now: Oracle's Fusion Middleware Has Critical RCE Flaw.
organisation Fusion Middleware
Oracle broke its usual patch cycle this week to announce a critical vulnerability in its Fusion Middleware.
organisation Walmart
Notable is its popularity with large multinationals , like Walmart, Huawei, and ExxonMobil.
organisation Huawei
Notable is its popularity with large multinationals , like Walmart, Huawei, and ExxonMobil.
organisation ExxonMobil
Notable is its popularity with large multinationals , like Walmart, Huawei, and ExxonMobil.
organisation Oracle Fusion Middleware Oracle
A plurality of its customers fall into demographic categories like: employs more than 10,000 employees, earns more than $1 billion in annual revenue, etc. Critical RCE Bug in Oracle Fusion Middleware Oracle typically organizes software fixes into quarterly updates for customers.
victims 10,000 employees
A plurality of its customers fall into demographic categories like: employs more than 10,000 employees, earns more than $1 billion in annual revenue, etc. Critical RCE Bug in Oracle Fusion Middleware Oracle typically organizes software fixes into quarterly updates for customers.
financial $1 employees
A plurality of its customers fall into demographic categories like: employs more than 10,000 employees, earns more than $1 billion in annual revenue, etc. Critical RCE Bug in Oracle Fusion Middleware Oracle typically organizes software fixes into quarterly updates for customers.
organisation API
It's an issue in the HTTP application programming interface (API) surface of Oracle's identity and Web services security stack; and according to the risk matrix published in Oracle's advisory, attacking it requires relatively little complexity.
organisation Misunderstood Risks Cause Cisco SD-WAN
Related: Fake PoCs, Misunderstood Risks Cause Cisco SD-WAN Chaos
Tactical Metrics
Metrics
infrastructure
​9.8
Software Version
" The CVE-2026-21992 vulnerability has a CVSS v3.1 severity score of 9.8 and impacts Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0, as well as Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0.
Oracle released security updates to address a critical vulnerability, tracked as CVE-2026-21992 (CVSS score of 9.8), affecting Identity Manager and Web Services Manager.
Metrics
infrastructure
​12.2.1
Software Version
" The CVE-2026-21992 vulnerability has a CVSS v3.1 severity score of 9.8 and impacts Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0, as well as Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0.
Both affect OIM's REST WebServices component, affect the same software versions (12.2.1.4.0 and 14.1.2.1.0), and allow for RCE.
The vulnerability impacts Oracle Web Services Manager and Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0.
The flaw impacts versions 12.2.1.4.0 and 14.1.2.1.0.
" CVE-2026-21992 affects the following versions - Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0
Metrics
infrastructure
​4.0
Software Version
" The CVE-2026-21992 vulnerability has a CVSS v3.1 severity score of 9.8 and impacts Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0, as well as Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0.
Both affect OIM's REST WebServices component, affect the same software versions (12.2.1.4.0 and 14.1.2.1.0), and allow for RCE.
The vulnerability impacts Oracle Web Services Manager and Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0.
The flaw impacts versions 12.2.1.4.0 and 14.1.2.1.0.
" CVE-2026-21992 affects the following versions - Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0
Metrics
infrastructure
​14.1.2
Software Version
" The CVE-2026-21992 vulnerability has a CVSS v3.1 severity score of 9.8 and impacts Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0, as well as Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0.
Both affect OIM's REST WebServices component, affect the same software versions (12.2.1.4.0 and 14.1.2.1.0), and allow for RCE.
The vulnerability impacts Oracle Web Services Manager and Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0.
The flaw impacts versions 12.2.1.4.0 and 14.1.2.1.0.
" CVE-2026-21992 affects the following versions - Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0
Metrics
infrastructure
​1.0
Software Version
" The CVE-2026-21992 vulnerability has a CVSS v3.1 severity score of 9.8 and impacts Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0, as well as Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0.
Both affect OIM's REST WebServices component, affect the same software versions (12.2.1.4.0 and 14.1.2.1.0), and allow for RCE.
The vulnerability impacts Oracle Web Services Manager and Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0.
The flaw impacts versions 12.2.1.4.0 and 14.1.2.1.0.
" CVE-2026-21992 affects the following versions - Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0
Metrics
victims
1,000
Organizations
According to data from business intelligence aggregators Enlyft and Landbase, OIM is deployed at north of 1,000 organizations, mostly in the United States, and largely in IT and other tech industries.
Metrics
victims
2
Critical Large Organizations
" Related: Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical Large Organizations Have Patching Complications Considering the average size of Oracle's customers, CVE-2026-21992 may be of particular interest to big game hunters on the Dark Web. Organizational size and complexity can also complicate patching processes, in some cases.
Metrics
victims
10,000
Employees
A plurality of its customers fall into demographic categories like: employs more than 10,000 employees, earns more than $1 billion in annual revenue, etc. Critical RCE Bug in Oracle Fusion Middleware Oracle typically organizes software fixes into quarterly updates for customers.
Metrics
financial
1,000,000,000
Employees
A plurality of its customers fall into demographic categories like: employs more than 10,000 employees, earns more than $1 billion in annual revenue, etc. Critical RCE Bug in Oracle Fusion Middleware Oracle typically organizes software fixes into quarterly updates for customers.
Metrics
data_breach
556
Byte
The 556-byte POST payloads indicate likely exploitation as a zero-day, weeks before Oracle released a patch.
Intelligence Sources
BleepingComputer 2026-03-20
Dark Reading 2026-03-20
The Hacker News 2026-03-21
Security Affairs 2026-03-22