Customers running Oracle’s Identity Manager (OIM) and Web Services Manager software are exposed to a critical pre-auth RCE vulnerability. The flaw isn’t known to be exploited yet – but an out-of-band emergency patch suggests Big Red thinks it's coming soon.
Per NIST, CVE-2026-21992 is easily exploitable and “allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager.”
Oracle said the bug is in the REST WebServices and Web Services Security components of its Fusion middleware. “Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager,” the advisory, published late Thursday said.
Auto-generated patch bypasses
The language Oracle uses to describe the bug is almost identical to an actively exploited vulnerability patched in October. CVE-2025-61757 (CVSS 9.8), a bug in the same middleware component of Oracle’s IOM, allowed “unauthenticated attacker with network access via HTTP to compromise Identity Manager [for] takeover of Identity Manager.”
The similarities suggest the vulnerability is likely a patch bypass, and with attackers already familiar with the codebase, the risk the bug is already being exploited is tangible. (A CISO at a major financial institution recently told The Stack, “patches are basically exploits now.”)
Threat actors can feed patch diffs into LLMs and construct an exploit almost instantaneously. A paper published by researchers at the University of Luxembourg in December 2025 set out to explore whether “someone with no understanding of web security, SQL injection, or authentication bypasses successfully compromise an enterprise ERP system using only LLMs and public CVE information?”
The study found an alarming 100% success rate: “every tested CVE produced at least one working exploit through pretexted prompting, typically within 3-4 interaction rounds.”
Quick, before the hyenas come
The “out-of-band” patch, Oracle usually reserves its vulnerability alerts for a biblically sized drop once a quarter, suggests security folks should get patching fast.
“Oracle strongly recommends that customers apply the updates or mitigations provided by this security alert as soon as possible,” the advisory urged.
The vuln impacts versions 12.2.1.4.0 and 14.1.2.1.0 of both Oracle Identity Manager and Oracle Web Services respectively. Information on patch availability is available for customers behind a login.
The link has been copied!
