Replace: Added that Oracle declined to touch upon whether or not the vulnerability has been exploited.
Oracle has launched an out-of-band safety replace to repair a important unauthenticated distant code execution vulnerability in Id Supervisor and Internet Companies Supervisor tracked as CVE-2026-21992.
Oracle Id Supervisor is used for managing identities and entry throughout an enterprise, whereas Oracle Internet Companies Supervisor gives safety and administration controls for internet providers.
In an advisory launched yesterday, Oracle is “strongly” recommending that prospects apply the patches as quickly as attainable.
“This Safety Alert addresses vulnerability CVE-2026-21992 in Oracle Id Supervisor and Oracle Internet Companies Supervisor. This vulnerability is remotely exploitable with out authentication. If efficiently exploited, this vulnerability could end in distant code execution,” reads the safety advisory.
“Oracle strongly recommends that prospects apply the updates or mitigations offered by this Safety Alert as quickly as attainable. Oracle at all times recommends that prospects stay on actively-supported variations and apply all Safety Alerts and Important Patch Replace safety patches directly.”
The CVE-2026-21992 vulnerability has a CVSS v3.1 severity rating of 9.8 and impacts Oracle Id Supervisor variations 12.2.1.4.0 and 14.1.2.1.0, in addition to Oracle Internet Companies Supervisor variations 12.2.1.4.0 and 14.1.2.1.0.
Oracle says the flaw is of low complexity, remotely exploitable over HTTP, and doesn’t require authentication or person interplay, rising the danger of exploitation on uncovered servers.
The repair was launched by way of its Safety Alert program, which delivers out-of-schedule fixes or mitigations for important or actively exploited vulnerabilities. Nevertheless, Oracle says that patches launched by way of these packages are solely provided for variations below Premier or Prolonged Assist, and older unsupported variations could also be weak.
Oracle has not disclosed whether or not the vulnerability has been exploited and declined to remark when BleepingComputer requested about its exploitation standing.
In a separate weblog put up printed in the present day, Oracle as soon as once more famous the severity of CVE-2026-21992 and warned prospects to evaluation the safety alert for full particulars and patch info.
Malware is getting smarter. The Purple Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
