Oracle Urgently Patches Critical Remote Code Execution Vulnerability in Fusion Middleware
Oracle has released an out-of-band security update to address a critical remote code execution (RCE) vulnerability, identified as CVE-2026-21992, affecting its widely used Fusion Middleware components: Oracle Identity Manager and Oracle Web Services Manager. This flaw carries a CVSS 3.1 base score of 9.8, indicating its severe potential impact.
Vulnerability Details
CVE-2026-21992 is an unauthenticated, remotely exploitable vulnerability that requires no user interaction or special privileges. Attackers can exploit this flaw over a network using HTTP access to an exposed endpoint, potentially leading to full system compromise. The vulnerability affects the following product versions:
– Oracle Identity Manager: Versions 12.2.1.4.0 and 14.1.2.1.0
– Oracle Web Services Manager: Versions 12.2.1.4.0 and 14.1.2.1.0
In Oracle Identity Manager, the flaw resides in the REST Web Services component, while in Oracle Web Services Manager, it exists within the Web Services Security module. Notably, Web Services Manager is often installed alongside Oracle Fusion Middleware Infrastructure, potentially expanding the attack surface across enterprise deployments.
Potential Impact
The high CVSS score and lack of authentication requirements make this vulnerability particularly dangerous for organizations with internet-facing Oracle Fusion Middleware deployments. Oracle Identity Manager is a critical identity governance platform, and Oracle Web Services Manager handles security policy enforcement for web services. Exploitation could result in full system compromise, credential theft, or lateral movement across connected systems.
Recommended Actions
Oracle strongly urges all customers to apply the available patches immediately. The security alert, initially released on March 19, 2026, was updated on March 20, 2026, with additional notes from Oracle. Organizations running unsupported versions of the affected products are advised to upgrade to a supported release, as patches are only provided for versions under Premier Support or Extended Support phases per Oracle’s Lifetime Support Policy.
Security teams should prioritize patching any externally accessible instances and review HTTP/HTTPS exposure of REST Web Services and Web Services Security endpoints until remediation is complete. Customers can reference the full risk matrix and detailed CVE information on Oracle’s official Security Alerts portal.
