Oracle vulnerability (CVE-2026-21992) impacts core products

Threat Research advisory vulnerability Oracle

On March 20, 2026, Oracle disclosed a critical (CVSS score of 9.8) vulnerability (CVE-2026-21992) impacting two Oracle Fusion Middleware components: Oracle Identity Manager and Oracle Web Services Manager. An unauthenticated attacker could exploit the vulnerability to obtain network access via HTTP and remotely execute code. Critical functions of the products are exposed due to the lack of network-level authentication. As of this publication, there are no reports of active exploitation.

Recommended actions

Counter Threat Unit™ (CTU) researchers recommend that customers identify vulnerable components and apply the patches as appropriate in their environment.

Sophos protections

The following protection developed by SophosLabs relates to this threat:

Attack_3b

About the author

Sophos Counter Threat Unit Research Team

Sophos Counter Threat Unit™ (CTU) researchers are recognized authorities in the cybersecurity field, regularly contributing expert analysis to global media, publishing technical analyses for the security community, and presenting about emerging threats at leading security conferences. Backed by Sophos’ advanced security technologies and a broad network of intelligence contacts and partners, the CTU™ plays a critical role in identifying and tracking threat actors and analyzing anomalous activity, uncovering new attack techniques, threats, and major shifts in the threat landscape.