EMERGENCY OUT-OF-BAND SECURITY ALERT · CVE-2026-21992 — Immediate patching required

Out-of-Band Emergency Alert · March 2026

CVE-2026-21992

Oracle Identity Manager Unauthenticated RCE

Oracle released an out-of-band emergency Security Alert in March 2026 for CVE-2026-21992 — a CVSS 9.8 Critical unauthenticated remote code execution vulnerability in Oracle Identity Manager (OIM/OIG) REST WebServices. Attackers can execute arbitrary code on affected systems over HTTP without credentials. Immediate patching required.

Analyze My IAM Exposure Back to CSPU Hub

CVSS 9.8 Critical

Remotely Exploitable

No Authentication Required

Complete System Takeover Possible

Threat Profile

EMERGENCY

CVSS Score

9.8

Critical · Network exploitable

Attack Vector

Network/HTTP

Auth Required

None

Impact

RCE

Affected Components

⚠ Closely resembles CVE-2025-61757

CVE-2025-61757 was added to the CISA KEV catalog after active exploitation. Adapted exploits may already exist.

KEY SECURITY OBSERVATIONS

Why This Alert Demands Immediate Action

Six observations that distinguish CVE-2026-21992 from a routine Oracle security advisory.

Out-of-Band Emergency Alert

Oracle issued this outside the normal quarterly CPU cycle. Oracle reserves out-of-band alerts for the most severe risks — patching cannot wait for the next quarterly window.

Unauthenticated & Remotely Exploitable

Attackers can exploit the vulnerability over HTTP without credentials. Any internet-exposed (or accessible-from-corporate-network) OIM instance is at immediate risk.

Complete System Takeover

NVD indicates compromise can result in complete takeover of affected systems. RCE on identity infrastructure means attackers gain persistent privileged access to identity provisioning.

Identity Infrastructure is High-Value

Oracle Identity Manager/OIG environments manage enterprise-wide provisioning and access governance. Compromise grants attackers control of who can access what across all integrated systems.

Hidden Exposure via OWSM

Oracle Web Services Manager (OWSM) is commonly bundled with Fusion Middleware Infrastructure. Many organisations have OWSM deployed without realising it — meaning unknown exposure surface.

Similar to CVE-2025-61757 (CISA KEV)

CVE-2025-61757 reached CISA's Known Exploited Vulnerabilities catalog after active exploitation in the wild. CVE-2026-21992's similarity suggests adapted exploits may already exist or emerge rapidly.

Deep-dive analysis: "CVE-2026-21992: Is Your Identity Manager Exposed?" →

Immediate Action Plan

Inventory: Identify all Oracle Identity Manager (OIM/OIG) and Oracle Web Services Manager (OWSM) deployments — including bundled installations inside Fusion Middleware Infrastructure.
Patch: Apply Oracle's emergency CVE-2026-21992 patch to all affected instances immediately.
Compensating control (if patching is delayed): Restrict network access to OIM REST WebServices APIs at the firewall/WAF layer. Block external HTTP access to identity infrastructure.
Threat hunt: Review OIM/OIG logs for the past 30+ days. Look for suspicious provisioning events, unexpected role assignments, credential-store access, or new admin accounts.
Validate: After patching, run full identity regression — login flows, SSO, SCIM provisioning, role assignments, password management, reconciliation jobs.
Document: Capture evidence of patch application and validation for SOX, ISO 27001, internal audit and customer security reviews.
Communicate: Notify CISO, internal audit, and any third parties consuming your identity APIs about the alert and your remediation status.

Affected Oracle Components

Components impacted by CVE-2026-21992 and the March 2026 Security Alert.

Oracle Identity Manager (OIM/OIG)

CRITICAL (CVSS 9.8)

CVE-2026-21992 Unauthenticated RCE

Type: Security / Remote Code Execution Immediate patching required

What changed: Critical out-of-band security alert for unauthenticated HTTP-based remote code execution in Oracle Identity Manager REST WebServices

Why it matters: Compromise of OIM can provide attackers privileged access across enterprise systems and identity infrastructure (Oracle)

Pages: OIG ConsoleIdentity Self-ServiceAdmin Console

APIs: REST WebServices APIsIAM APIs

ESS Jobs: Identity Reconciliation JobsProvisioning JobsSync Jobs

Config: SSO ConfigurationsOAuth PoliciesIdentity ConnectorsAccess Policies

Processes: User ProvisioningRole AssignmentAccess CertificationAuthentication+1 more

Test Cases: Login validationuser provisioning regressionREST API authentication testingrole assignment testing+1 more

Data Objects: UsersRolesAccess PoliciesProvisioning Rules+1 more

Oracle Web Services Manager (OWSM)

CRITICAL (CVSS 9.8)

CVE-2026-21992 Web Services Security RCE

Type: Security / Middleware Immediate patching required

What changed: Critical unauthenticated RCE vulnerability in OWSM Web Services Security component

Why it matters: OWSM governs enterprise service trust and authentication policies across Fusion Middleware (Oracle)

Pages: Middleware Admin ConsoleWebLogic Console

APIs: SOAP APIsREST APIsSecurity Services APIs

ESS Jobs: Middleware JobsSecurity Policy Sync Jobs

Config: WS-Security PoliciesOAuth PoliciesTrust Stores

Processes: API Security EnforcementWeb Service AuthenticationIntegration Security

Test Cases: SOAP/REST security validationtoken propagation testingmiddleware authentication regression

Data Objects: SOAP PoliciesREST PoliciesTrust Configurations

Oracle Fusion Middleware Infrastructure

CRITICAL

Emergency Out-of-Band Security Alert

Type: Security / Infrastructure Customer-action-required

What changed: Oracle issued rare out-of-band patch outside regular CPU cycle due to critical severity

Why it matters: Oracle rarely releases out-of-band alerts; indicates elevated enterprise risk (Tenable®)

Pages: Login PagesMiddleware Consoles

APIs: Middleware APIs

ESS Jobs: Domain Sync Jobs

Config: WebLogic Security ConfigsSSL Policies

Processes: Enterprise Authentication & Integration

Test Cases: Middleware startup validationSSL validationSSO integration testing

Data Objects: WebLogic DomainsSecurity Providers

Identity Governance

CRITICAL

REST WebServices Authentication Bypass

Type: Security / Authentication Immediate remediation recommended

What changed: Vulnerability tied to missing authentication enforcement (CWE-306) in REST layer

Why it matters: Vulnerability allows unauthenticated network attackers to execute code remotely (Lab Space)

Pages: Identity Governance Work Area

APIs: SCIM APIsREST Identity APIs

ESS Jobs: Identity Sync Jobs

Config: SCIM ConfigurationsIdentity Policies

Processes: Identity Lifecycle Management

Test Cases: SCIM endpoint testingauthentication enforcement validationAPI authorization testing

Data Objects: Access RequestsCertificationsUser Accounts

Oracle IAM Infrastructure

CRITICAL

Enterprise IAM Exposure

Type: Security / Access Control Immediate patching required

What changed: OIM/OIG acts as enterprise source of truth for user access and provisioning

Why it matters: Successful exploitation may compromise connected enterprise systems and credential stores (Lab Space)

Pages: IAM Console

APIs: Identity APIs

ESS Jobs: User Sync Jobs

Config: FederationLDAPSSO Configurations

Processes: Enterprise-wide Authentication & Provisioning

Test Cases: Federation validationLDAP sync testingSSO regression testing

Data Objects: UsersGroupsFederated Accounts

Oracle WebLogic Ecosystem

CRITICAL

HTTP Remote Attack Surface Exposure

Type: Security / Network Exposure Immediate mitigation required

What changed: Vulnerability exploitable remotely over HTTP with no authentication or user interaction

Why it matters: Public HTTP exposure significantly increases exploitation likelihood (Oracle)

Pages: Public-facing Middleware URLs

APIs: REST/SOAP APIs

ESS Jobs: Middleware Scheduler Jobs

Config: Reverse Proxy ConfigsWAF Rules

Processes: External Integration & Identity Access

Test Cases: External penetration testingWAF validationendpoint restriction testing

Data Objects: HTTP EndpointsWeb Services

Oracle Fusion Applications Integration

HIGH-CRITICAL

Integration Trust Boundary Exposure

Type: Security / Integration Customer validation required

What changed: OWSM policies used across Fusion integrations may be impacted

Why it matters: Integration security failure can disrupt ERP ecosystem trust boundaries (Penligent)

Pages: Fusion Integration Pages

APIs: Fusion REST/SOAP APIs

ESS Jobs: Integration ESS Jobs

Config: OAuthCertificatesTrust Policies

Processes: ERP Integrations & Middleware Flows

Test Cases: Fusion integration regressiontoken validationAPI connectivity testing

Data Objects: Service AccountsTokensCertificates

Oracle Identity Governance SCIM Services

CRITICAL

SCIM Service Exposure

Type: Security / SCIM Disable/restrict if unused

What changed: SCIM services reportedly enabled by default in some OIG deployments

Why it matters: Default-enabled HTTP endpoints increase attack surface significantly (Penligent)

Pages: SCIM Endpoints

APIs: SCIM REST APIs

ESS Jobs: Identity Synchronization Jobs

Config: SCIM Endpoint Configurations

Processes: Identity Federation & User Provisioning

Test Cases: SCIM endpoint restriction testingHTTPS enforcement validation

Data Objects: SCIM UsersGroups

Oracle Security Operations

CRITICAL

Incident Response & Threat Monitoring

Type: Security / Threat Response Mandatory operational response

What changed: Oracle strongly recommends immediate application of fixes or mitigations

Why it matters: Similar prior OIM vulnerabilities were actively exploited and added to CISA KEV catalog (Tenable®)

Pages: Security Monitoring Consoles

APIs: Audit APIs

ESS Jobs: Log Aggregation Jobs

Config: SIEM RulesAlert Policies

Processes: Security Monitoring & Incident Response

Test Cases: IOC reviewlog analysiscompromise assessmentvulnerability scanning

Data Objects: LogsAudit TrailsSIEM Events

Oracle Supported Versions Governance

CRITICAL

Affected Supported Versions

Type: Security / Lifecycle Upgrade/patch required

What changed: Affected versions: 12.2.1.4.0 and 14.1.2.1.0 for both OIM and OWSM

Why it matters: Oracle warns unsupported earlier versions may also be affected (Oracle)

Pages: Middleware Consoles

APIs: Patch Management APIs

ESS Jobs: Patch Deployment Jobs

Config: Lifecycle Support Policies

Processes: Patch Governance & Compliance

Test Cases: Patch inventory validationunsupported-version discovery

Data Objects: OIM/OWSM Deployments

Aggregated Components & Validations

Deduplicated inventory of components impacted by the March 2026 Security Alert.

Affected Pages

Admin Console Fusion Integration Pages IAM Console Identity Governance Work Area Identity Self-Service Login Pages Middleware Admin Console Middleware Consoles OIG Console Public-facing Middleware URLs SCIM Endpoints Security Monitoring Consoles WebLogic Console

Affected APIs

Audit APIs Fusion REST/SOAP APIs IAM APIs Identity APIs Middleware APIs Patch Management APIs REST APIs REST Identity APIs REST WebServices APIs REST/SOAP APIs SCIM APIs SCIM REST APIs SOAP APIs Security Services APIs

Recommended Test Cases

API authorization testing API connectivity testing External penetration testing Federation validation Fusion integration regression HTTPS enforcement validation IOC review LDAP sync testing Login validation Middleware startup validation Patch inventory validation REST API authentication testing SCIM endpoint restriction testing SCIM endpoint testing SOAP/REST security validation SSL validation SSO integration testing SSO regression testing WAF validation authentication enforcement validation compromise assessment endpoint restriction testing log analysis middleware authentication regression reconciliation job validation role assignment testing token propagation testing token validation unsupported-version discovery user provisioning regression vulnerability scanning

March 2026 Security Alert FAQs

Common questions about CVE-2026-21992 and the Oracle Identity Manager emergency patch.

What is CVE-2026-21992?

CVE-2026-21992 is a critical unauthenticated remote code execution (RCE) vulnerability in Oracle Identity Manager (OIM/OIG) REST WebServices. Rated CVSS 9.8 (Critical), it allows attackers to execute arbitrary code on affected systems over HTTP without authentication. Oracle issued an out-of-band emergency Security Alert in March 2026 — outside the normal quarterly CPU cycle.

Why did Oracle release this as an out-of-band alert?

Oracle issues out-of-band Security Alerts only for the most severe vulnerabilities where waiting for the next quarterly CPU would expose customers to unacceptable risk. CVE-2026-21992's combination of unauthenticated access, remote network exploitability and complete system takeover meant Oracle could not wait — it required immediate patching of all Oracle Identity Manager deployments.

Is CVE-2026-21992 being actively exploited?

The vulnerability closely resembles previously exploited CVE-2025-61757, which reached CISA's Known Exploited Vulnerabilities (KEV) catalog. While we cannot confirm active exploitation of CVE-2026-21992 specifically at the time of the alert, the similarity to a known-exploited CVE significantly elevates risk. Organisations should treat this as actively exploitable and patch immediately.

Which Oracle systems are affected by March 2026 alert?

Primarily Oracle Identity Manager (OIM/OIG) including the Identity Governance SCIM Services, Oracle IAM Infrastructure, and the Identity Manager REST WebServices APIs. Indirect exposure also affects Oracle Web Services Manager (OWSM) — commonly bundled with Fusion Middleware Infrastructure, so some organisations may unknowingly have exposure. Oracle WebLogic Ecosystem and Oracle Fusion Applications Integration may also be impacted.

What should we do immediately?

1) Inventory all Oracle Identity Manager (OIM/OIG) and Oracle Web Services Manager (OWSM) deployments — including bundled installations within Fusion Middleware. 2) Apply Oracle's emergency patch to all instances. 3) If patching is delayed, restrict network access to the OIM REST WebServices APIs at the network/firewall layer. 4) Review identity logs for suspicious provisioning, role-assignment or credential-store activity. 5) Re-run full identity regression after patching.

How does this affect Oracle Cloud customers?

Customers using Oracle-managed cloud services receive emergency security patches automatically as part of the service. Customer-managed Oracle Identity Manager environments — on-premise OIM/OIG installations or hybrid deployments — must apply the patch manually and validate identity flows immediately.

What is the relationship to CVE-2025-61757?

CVE-2025-61757 was a previously-exploited Oracle vulnerability that reached the CISA Known Exploited Vulnerabilities (KEV) catalog. CVE-2026-21992 is technically similar — both are unauthenticated RCE vulnerabilities in Oracle identity/middleware components. The resemblance is significant because it suggests attackers may already have working exploit patterns they can adapt, raising the likelihood of rapid exploitation.

Don't Wait — Validate IAM Exposure Now

SyntraFlow auto-discovers Oracle Identity Manager and OWSM deployments across your estate, identifies CVE-2026-21992 exposure, and runs a targeted identity regression after patching.

Request Emergency Assessment Analyze IAM Exposure