Oracle has released emergency updates to patch a critical vulnerability, CVE-2026-21992, in its Identity Manager and Web Services Manager products, which could allow unauthenticated attackers to execute remote code, with a CVSS score of 9.8. The company has not confirmed if this vulnerability has been exploited in the wild.
Oracle has released out-of-band patches for a critical vulnerability, CVE-2026-21992, affecting Identity Manager and Web Services Manager, with a CVSS score of 9.8. Given the ease of exploitation and potential for remote code execution by unauthenticated attackers, immediate patching is crucial for organizations using these products to prevent potential unauthorized takeovers. This is especially pressing as Oracle has a history of not disclosing whether such vulnerabilities have been exploited in the wild, making proactive patching an essential security measure.