Oracle Identity Manager: Out-of-band update against code smuggling vulnerability

Oracle has released an emergency update outside the usual quarterly Critical Patch Update (CPU) patch day. It closes a security vulnerability in Oracle Identity Manager and Web Services Manager, which allows attackers from the network to fully compromise vulnerable instances without prior authentication.

The CVE vulnerability description specifies that both affected products are part of Oracle Fusion Middleware. In Identity Manager, an API endpoint “REST WebServices” is vulnerable, while in Web Services Manager, the Web Services Security component is vulnerable. The vulnerability is easy to exploit by malicious actors with HTTP access, Oracle writes. This allows them to take over Oracle Identity Manager and Web Services Manager (CVE-2026-21992, CVSS 9.8, Risk “critical”).

In the security alert, Oracle writes that the vulnerability can be exploited remotely without authentication and can lead to the execution of injected malicious code. Oracle Identity Manager and Oracle Web Services Manager, versions 12.2.1.4.0 and 14.1.2.1.0, respectively, are impacted. Information on patch availability is hidden behind a login, thus not publicly accessible.

Update now

When Oracle releases updates outside the usual patch days, it indicates that these are security vulnerabilities that need to be patched quickly. The company also writes: “Oracle strongly recommends that customers apply the updates or mitigations provided by this security alert as soon as possible.” Fortunately, the vulnerability is not yet being exploited in the wild; at least the manufacturer doesn't mention it.

IT managers should not take the vulnerability lightly. Last fall, a security vulnerability in Oracle's E-Business Suite became known, which the cyber gang Cl0p exploited in an attack wave. Data from hundreds of companies was affected. The criminals extorted ransom from the companies under threat of publishing the data.

(dmk)