CVE-2026-21992: Oracle Identity Manager RCE, No Login
Every organisation has a gatekeeper — a system that decides who gets access to what. Which employee can approve payments. Which contractor can enter the server room. Which service account can read customer records. In enterprise environments, that gatekeeper is an identity management platform.
Oracle Identity Manager is one of the most widely deployed of these platforms globally. It manages identities, roles, and access policies for some of the world's largest organisations — banks, hospitals, government agencies, multinational corporations. Everything about who can do what flows through it.
On March 19, 2026, Oracle issued an emergency out-of-schedule security alert — something it has done only 31 times in 15 years — for a vulnerability that allows anyone on the internet to take complete control of that gatekeeper. No password. No account. No user interaction required.
- CVE: CVE-2026-21992 — Oracle Identity Manager and Web Services Manager RCE
- CVSS Score: 9.8 Critical — network-based, no authentication, no user interaction, low complexity
- Attack vector: HTTP — any attacker with network access to the endpoint can exploit it
- Affected products: Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0 — Oracle Web Services Manager 12.2.1.4.0 and 14.1.2.1.0
- Alert released: March 19, 2026 — out-of-band, outside Oracle's quarterly patch cycle
- This is only the second emergency alert Oracle has ever issued for Identity Manager
- Exploitation confirmed in the wild: Not yet confirmed for this CVE — but a near-identical sibling (CVE-2025-61757) was actively exploited and added to CISA KEV in November 2025
- Impact: Full system compromise — attacker can manipulate identities, roles, and policies across the organisation
- Patch: KB878741 — available for supported versions only
- Unsupported versions: No patch available — upgrade required
Root Cause — How the Attack Actually Works
Before understanding the vulnerability, you need to understand what Oracle Identity Manager actually does — because it makes the attack make sense.
OIM is the platform that manages every digital identity in a large organisation. It decides: this employee gets access to the payroll system, this contractor can read customer records, this service account can write to the database. Every access decision flows through it. It is the single source of truth for who is allowed to do what.
To do its job, OIM provides a REST API — a set of web addresses that other systems use to communicate with it. Think of it like a post box. Other applications drop requests into the post box: "create this user," "assign this role," "change this permission." OIM picks up those requests and acts on them.
Here is where the flaw lives. When OIM picks up a request from that post box, it processes the contents before checking who sent it. An attacker doesn't need an account. They just need to know the address of the post box and send a specially crafted message.
That message contains what researchers call a malicious serialised object. Here's what that means in plain English:
When systems send complex data to each other over a network, they first pack it into a standard format — like converting a filled-out form into a PDF so it can be emailed. The receiving system then unpacks it — opens the PDF and reads the form. This packing and unpacking is called serialisation and deserialisation.
The attacker crafts a fake "form" — a message that looks like a legitimate OIM request but contains hidden instructions instead of real data. When OIM unpacks it, those instructions execute on the server. Not as a regular user. As the application itself — with full system-level access.
The system designed to enforce who has access to what — has no check on its own post box. Anyone who knows the address can drop in a message, and OIM will follow the instructions inside before ever asking who sent it.
Oracle describes it as "easily exploitable." NIST rates it "low complexity." That means a moderately skilled attacker with basic tools can do this. No specialist knowledge. No insider access. Just network connectivity and a crafted HTTP request.
Real-World Example — Inside a Bank's Identity Platform
Imagine a large private bank running Oracle Identity Manager on-premises. OIM manages access for 8,000 employees across 12 countries — everything from who can approve wire transfers to which auditors can view trading records. The management interface is accessible over the internet for remote administration.
Day 1 — The invisible entry
An attacker sends a single HTTP POST request to the bank's OIM REST endpoint. The request body contains a malicious serialised Java object — packed instructions disguised as a routine API call. OIM unpacks it and executes the instructions before checking for authentication. The attacker now has code running on the OIM server with application-level privileges. No alert fires. No login appears in the audit log. From the outside, nothing happened.
Day 2 — Creating a ghost administrator
Using their access, the attacker creates a new OIM administrator account. The username looks legitimate — something like "svc-monitoring-prod" that blends into a list of service accounts. This account is provisioned with full administrative rights across OIM and every system it manages. The account creation appears in OIM logs as a normal provisioning event — indistinguishable from a real IT operation.
Day 4 — Elevating permissions silently
The attacker uses their ghost admin account to modify role assignments across the organisation. The "auditor" role in the trading system quietly gets new permissions — the ability to export full transaction histories. The "contractor" role for a legacy billing system gets read access to customer records it was never supposed to touch. Each change is logged as an authorised role modification.
Day 7 — Disabling Web Services Manager policies
Oracle Web Services Manager — included in the same vulnerable versions — has its security policies quietly disabled for several internal web services. This removes the authentication and encryption requirements on those services. The attacker's malware can now communicate with internal bank systems over trusted channels without triggering security alerts.
Day 14 — Data exfiltration begins
Using the elevated permissions granted through OIM role manipulation, the attacker begins pulling customer records and transaction data. The access looks legitimate — authorised roles, valid service accounts, normal-looking API calls. The bank's security tools see nothing unusual because the access policies say this access is allowed.
Day 30 — The organisation discovers the breach
A routine security audit finds the ghost administrator account. The investigation reveals 14 days of data exfiltration and dozens of unauthorised role changes. The attacker entered through a single unauthenticated HTTP request and spent a month inside the identity platform that was supposed to prevent exactly this.
The most dangerous part of this attack is not the initial exploit. It is what comes after — an attacker operating inside the system that defines what "authorised access" means, for as long as they want, doing things that look exactly like legitimate administration.
Why This Is a Bigger Target Than It Looks
Oracle Identity Manager is enterprise infrastructure — deployed by banks, healthcare systems, and government agencies with hundreds of thousands of users and complex access hierarchies. These are the organisations with the most sensitive data and the most severe consequences from a breach.
This is the shift happening in 2026. Attackers are no longer targeting endpoints first. They are targeting the systems that manage identity — because one compromise there gives control over who has access to everything else.
Tenable's senior researcher confirmed what the scenario above illustrates: given Oracle's customer base, CVE-2026-21992 is of particular interest to "big game hunters" — ransomware groups who target large organisations precisely because the ransom demands can be proportionally larger.
The Sibling Vulnerability — The Warning That Came First
This is not the first time this exact component has been exploited. CVE-2025-61757 — same product, same component, same versions, CVSS 9.8 — was actively exploited and added to CISA's KEV catalog in November 2025. Researchers described it as "somewhat trivial and easily exploitable."
Four months later, a new hole appears in the same wall. Oracle breaking its quarterly patch cycle to issue an emergency alert means the company views this as too critical to wait for April. The question for every organisation running OIM is not just whether to patch now — it is whether the same attackers who exploited the first vulnerability have already found the second one.
MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name | How It Applies |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | Unauthenticated HTTP request to OIM REST WebServices endpoint triggers RCE |
| Execution | T1059 | Command and Scripting Interpreter | Arbitrary code execution on OIM server with application-level privileges |
| Persistence | T1136 | Create Account | Attacker creates new legitimate-looking admin accounts in OIM that survive patching |
| Privilege Escalation | T1078 | Valid Accounts | OIM role manipulation grants attacker elevated permissions across all connected systems |
| Defense Evasion | T1562 | Impair Defenses | OWSM security policies modified or disabled to remove protection from other web services |
| Credential Access | T1552 | Unsecured Credentials | Identity store access exposes credentials, tokens, and authentication data for all managed users |
| Collection | T1213 | Data from Information Repositories | Full read access to identity database — roles, permissions, user profiles, access policies |
| Lateral Movement | T1021 | Remote Services | Newly created admin accounts and elevated OIM roles enable access to all connected enterprise systems |
Indicators of Compromise (IOCs)
# CVE-2026-21992 Oracle Identity Manager RCE — Detection Indicators
# Exploitation indicators — network level
Alert: Unexpected POST requests to OIM REST WebServices endpoints
from external or untrusted IP addresses
Alert: HTTP requests to OIM management interfaces that do not
originate from known admin workstations or automation systems
Alert: Unusual volume or pattern of requests to /_/api/ or
/oim/REST/WebService/ endpoints — scanning or fuzzing behaviour
# Post-exploitation — identity manipulation
Alert: New administrator accounts created in Oracle Identity Manager
outside of approved provisioning workflows or change windows
Alert: Role assignments changed for high-privilege accounts
without corresponding ITSM ticket or approval record
Alert: Bulk permission changes affecting multiple users simultaneously
outside of scheduled batch operations
# Web Services Manager tampering
Alert: Security policies disabled or modified in Oracle Web Services Manager
outside of authorised maintenance windows
Alert: New service endpoints added or existing ones reconfigured
without change management approval
# System-level indicators on OIM server
Alert: Unexpected child processes spawned by OIM application server
Alert: New files created in OIM application directories by the
application server process outside of patch/deployment operations
Alert: Outbound network connections from OIM server to unknown
external IPs — possible C2 communication post-exploitation
# Version and patch verification
Vulnerable: OIM 12.2.1.4.0 and 14.1.2.1.0 — unpatched
Vulnerable: OWSM 12.2.1.4.0 and 14.1.2.1.0 — unpatched
Patch: KB878741 — apply immediately to supported versions
Unsupported versions: No patch available — upgrade to supported version
or isolate from all untrusted network access
SOC Alert Priorities
Priority 1 — Apply KB878741 immediately to all Oracle Identity Manager and Web Services Manager instances. Oracle breaking its quarterly patch cycle for this is the signal. Treat this with the same urgency as a confirmed active exploitation. Internet-facing instances should be patched or taken offline today.
Priority 2 — Audit all OIM administrator accounts for anything created after October 2025. CVE-2025-61757 — the sibling vulnerability — was actively exploited. If your OIM was internet-accessible after October 2025, there may already be attacker-created accounts inside your identity store. Any account you cannot verify was created through an approved process should be suspended and investigated.
Priority 3 — Review all role and permission changes in OIM for the last six months. An attacker with OIM access doesn't need to announce themselves. They quietly elevate permissions across connected systems. Pull the full change log and look for modifications that don't have corresponding change tickets, especially bulk changes or changes to high-privilege roles.
Priority 4 — Check Oracle Web Services Manager security policies for unauthorised modifications. OWSM shares the same vulnerable versions and is included in the same emergency alert. Disabled or modified security policies on web services may indicate an attacker preparing the environment for lateral movement or data exfiltration.
Priority 5 — Restrict OIM management interface access to trusted internal IPs immediately. While patching is prepared or in progress, restrict the REST WebServices endpoint and management interface to known admin workstations or internal networks only. Remove any public internet exposure. This doesn't fix the vulnerability but significantly reduces the attack surface while you patch.
The ZyberWalls Perspective
Oracle issues out-of-band emergency alerts roughly twice a year. This is only the second time in history it has done so for Oracle Identity Manager. The first was in 2017 — a CVSS 10.0 default account flaw that allowed complete takeover via an unauthenticated network attack. Oracle has essentially placed this vulnerability in the same category.
The sibling vulnerability pattern makes this particularly sobering. CVE-2025-61757 was the warning shot — same product, same component, same versions, same severity. It was exploited, catalogued, and given a patch deadline. Four months later, a new hole appears in the same wall.
Identity management platforms are not like other enterprise software. Compromising them doesn't give an attacker access to data. It gives them control over the rules that govern all data access. They can create users that don't exist, grant permissions that were never approved, and disable controls that were never meant to be optional. The organisation continues functioning normally — employees log in, systems process transactions, dashboards show green — while the attacker quietly inherits the keys to everything.
This is what makes identity infrastructure the highest-value target in 2026. It is trusted completely, monitored inconsistently, and when compromised, provides a level of access that no single data breach can match.
Patch KB878741. Audit your accounts. Check your policies. In that order, today.
→ 36 Days Inside Your Firewall: How Interlock Ransomware Exploited Cisco Before Anyone Knew
→ SharePoint CVE-2026-20963: Unauthenticated RCE Confirmed by CISA — Patch Now or Disconnect
Stay Alert. Stay Human. Stay Safe.— ZyberWalls Research Team