InfoSecBulletin Cybersecurity for mankind
Oracle has put out a special security update to fix a serious flaw. This flaw allows anyone to run harmful code without needing an account. It affects Identity Manager and Web Services Manager, and it is known as CVE-2026-21992.
Oracle Identity Manager helps manage identities and access in a business, while Oracle Web Services Manager offers security and control for web services. In an advisory released yesterday, Oracle is “strongly” recommending that customers apply the patches as soon as possible.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
“This Security Alert addresses vulnerability CVE-2026-21992 in Oracle Identity Manager and Oracle Web Services Manager. This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution,” reads the security advisory.
“Oracle strongly recommends that customers apply the updates or mitigations provided by this Security Alert as soon as possible. Oracle always recommends that customers remain on actively-supported versions and apply all Security Alerts and Critical Patch Update security patches without delay.”
The CVE-2026-21992 vulnerability has a very high severity score of 9.8 and affects Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0, plus Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0.
Oracle says the issue is simple to exploit from a distance using HTTP and does not need login or user action, which raises the risk for servers that are open.
The fix came out through the Security Alert program. This program gives quick fixes for serious problems that are being exploited. But Oracle says these patches work only for versions that have Premier or Extended Support. Older versions that have no support might still be at risk.
Oracle shared in a blog post today that CVE-2026-21992 is serious. They advised customers to check the security alert for full details and information on patches.
