CVE-2026-21992: Critical Oracle Fusion Middleware Vulnerability Out-of-Band Security Alert

Oracle published an out-of-band security alert on March 19 for CVE-2026-21992, a critical remote code execution vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager, both part of Oracle Fusion Middleware. The vulnerability has a CVSSv3 score of 9.8 and is remotely exploitable without authentication.

CVE	Description	CVSSv3
CVE-2026-21992	Oracle Identity Manager and Oracle Web Services Manager Remote Code Execution Vulnerability	9.8

Out-of-band security alerts from Oracle are infrequent and signal elevated risk. Patches are available through Oracle's Fusion Middleware patch documentation.

For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.

Vulnerability Watch

Forum Discussion

CVE-2026-21992: Critical Oracle Fusion Middleware Vulnerability Out-of-Band Security Alert

Recent Discussions

CVE-2026-35616: Fortinet FortiClientEMS zero-day vulnerability exploited in the wild

FAQ on the Axios npm Supply Chain Attack by North Korea-Nexus Threat Actor UNC1069

CVE-2026-21992: Critical Oracle Fusion Middleware Vulnerability Out-of-Band Security Alert

Cyber Retaliation: Analyzing Iranian Cyber Activity Following Operation Epic Fury

Microsoft’s March 2026 Patch Tuesday Addresses 83 CVEs

Americas

Europe

Asia / Australia