Executive Summary
A critical unauthenticated remote code execution vulnerability (CVE-2026-21992) has been disclosed as part of Oracle's March 2026 Critical Patch Update (CPU). The flaw carries a CVSS score of 9.8 and affects two products within the Oracle Fusion Middleware portfolio:
- Oracle Identity Manager (component: REST WebServices)
- Oracle Web Services Manager (component: Web Services Security)
An unauthenticated remote attacker with network access via T3 or HTTP can exploit this vulnerability to compromise Oracle Identity Manager, potentially achieving full control over an enterprise identity governance platform. Affected versions are 12.2.1.4.0 and 14.1.2.1.0 across both products.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-21992 |
| CVSS Score | 9.8 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Affected Components | Oracle Identity Manager (REST WebServices), Oracle Web Services Manager (Web Services Security) |
| Affected Versions | 12.2.1.4.0 and 14.1.2.1.0 |
| Patch Available | Yes — Oracle March 2026 CPU |
| Published | March 20, 2026 |
Affected Products
| Product | Component | Affected Versions |
|---|---|---|
| Oracle Identity Manager | REST WebServices | 12.2.1.4.0, 14.1.2.1.0 |
| Oracle Web Services Manager | Web Services Security | 12.2.1.4.0, 14.1.2.1.0 |
Both products are part of the Oracle Fusion Middleware stack, which underpins identity governance, web services policy enforcement, and enterprise SSO across Oracle-heavy environments.
Technical Analysis
Root Cause
CVE-2026-21992 resides in the REST WebServices component of Oracle Identity Manager and the Web Services Security component of Oracle Web Services Manager. Oracle classifies this as "easily exploitable," indicating that the vulnerability does not require chaining with other weaknesses or bypassing significant security controls.
The flaw allows a network attacker to reach the vulnerable endpoint over standard protocols (T3 — Oracle's proprietary WebLogic wire protocol — or HTTP/S) and trigger exploitation without supplying any credentials.
Oracle does not publicly disclose root-cause details in CPU advisories, but the CVSS vector and "easily exploitable" classification, combined with the REST WebServices attack surface, suggests an improper input validation, deserialization, or authentication bypass weakness in the REST API layer.
Attack Vector: T3 and HTTP
T3 is Oracle WebLogic Server's proprietary wire protocol used for RMI-based communication between WebLogic components. It operates on the same port as the HTTP listener (typically 7001/7002) and is frequently exposed on internal networks. T3 has historically been a prolific attack surface for unauthenticated RCE in Oracle/WebLogic environments.
HTTP access implies the vulnerability may also be reachable through the standard web interface, broadening the potential attack surface beyond WebLogic-protocol-aware tools.
Attack Flow
1. Attacker enumerates Oracle Fusion Middleware deployments
(Shodan, internal network scanning, known port 7001/7002/443)
2. Attacker identifies OIM or OWSM endpoint with no authentication gate
3. Attacker sends crafted T3 or HTTP request to the REST WebServices endpoint
4. Vulnerable component processes attacker-controlled input without proper validation
5. Exploitation achieves code execution in the context of the WebLogic server process
6. Attacker gains control of the Identity Manager server and its identity storeWhy CVSS 9.8
| Metric | Value | Reason |
|---|---|---|
| No authentication | PR:N | Any network-adjacent attacker can trigger the flaw |
| No user interaction | UI:N | Fully server-side exploitation |
| Low complexity | AC:L | No special conditions or race states required |
| Full C/I/A impact | H/H/H | Successful exploitation gives full host compromise |
Impact Assessment
Oracle Identity Manager is an enterprise Identity Governance and Administration (IGA) platform. It manages user provisioning, role assignments, access certifications, and password management across an organization's entire application portfolio. A compromise of OIM is among the highest-impact outcomes in an enterprise breach scenario:
| Impact Area | Description |
|---|---|
| Identity Store Takeover | Full access to user accounts, roles, and entitlements across all provisioned systems |
| Privilege Escalation | Attacker can create or modify administrator accounts across connected systems |
| Credential Harvesting | Access to hashed or synchronized passwords, API keys, and service account credentials |
| Lateral Movement | OIM integration with LDAP, Active Directory, and downstream applications enables broad pivot |
| Audit Trail Tampering | Attacker can modify or delete access certification records and audit logs |
| Compliance Risk | Identity governance disruption creates immediate SOX, HIPAA, PCI-DSS audit failures |
| Downstream Application Compromise | OIM's provisioning connectors can be weaponized to create accounts in connected systems |
Remediation
Step 1: Apply the Oracle March 2026 CPU
Oracle has released patches for both affected versions as part of the March 2026 Critical Patch Update. Apply the applicable patch immediately.
# Oracle Patch Set Update — verify current OPatch version
$ORACLE_HOME/OPatch/opatch version
# List currently applied patches
$ORACLE_HOME/OPatch/opatch lspatches
# Apply March 2026 CPU patch (replace PATCH_ID with Oracle-provided ID)
$ORACLE_HOME/OPatch/opatch apply /path/to/patch/PATCH_ID
# Verify patch application
$ORACLE_HOME/OPatch/opatch lspatches | grep -i "March 2026"Step 2: Restrict T3 and HTTP Access
As an immediate mitigation if patching is delayed:
# Block T3 access at the firewall layer
# OIM/WebLogic typically listens on 7001 (HTTP) and 7002 (HTTPS)
# Restrict inbound access to these ports to known management hosts only
# In WebLogic Console: Servers > [server] > Protocols > General
# Disable T3 protocol if not required by your deploymentRestrict access to the OIM/OWSM administrative ports to:
- Dedicated identity management workstations
- Internal management VLANs only
- VPN or jump host access
Step 3: Audit for Compromise Indicators
# Review WebLogic access logs for unusual REST API calls
grep -i "REST" $DOMAIN_HOME/servers/AdminServer/logs/access.log | \
grep -v "200\|304" | tail -200
# Look for unauthorized admin account creation in OIM audit log
# Query OIM audit tables for recent user/role changes
sqlplus / as sysdba <<EOF
SELECT ENTITY_NAME, ENTITY_TYPE, ACTION, TIMESTAMP
FROM OIM.OIM_AUDIT
WHERE TIMESTAMP > SYSDATE - 7
AND ACTION IN ('CREATE', 'MODIFY', 'DELETE')
ORDER BY TIMESTAMP DESC;
EOF
# Check for unexpected processes spawned by WebLogic
ps auxf | grep -A5 weblogicStep 4: Harden the OIM Deployment
- Enable SSL/TLS on all OIM communication channels — disable plain HTTP if not already
- Implement network segmentation — OIM should not be reachable from untrusted network segments
- Enable WebLogic Connection Filters to restrict source IPs on T3 protocol
- Deploy a WAF in front of OIM HTTP endpoints with rules for REST API anomaly detection
- Enable OIM audit logging at maximum verbosity for post-incident forensics
Detection Indicators
| Indicator | Description |
|---|---|
Unexpected REST API calls to /iam/governance/selfservice/api/ | Possible exploitation probe |
| New administrator accounts created outside normal provisioning workflows | Post-exploitation persistence |
| Unusual T3 connections from non-management IP ranges | Exploitation attempt via WebLogic protocol |
| WebLogic server process spawning child processes (shells, scripts) | Successful RCE indicator |
| Changes to OIM system configuration or connector settings | Post-compromise manipulation |
| Unexpected outbound connections from OIM host | Reverse shell or C2 beaconing |
Post-Remediation Checklist
- Apply Oracle March 2026 CPU to all affected OIM and OWSM instances
- Restrict T3 and HTTP access to OIM to management-only network segments
- Audit OIM admin accounts for unauthorized additions or privilege changes
- Review provisioning logs for unexpected user creation across downstream systems
- Rotate all service account credentials used by OIM connectors
- Reset OIM administrator passwords and invalidate active sessions
- Enable enhanced audit logging on all connected systems
- Scan OIM host for web shells, unexpected binaries, or scheduled tasks
- Review WebLogic access logs for exploitation artifacts dating back 30+ days
- Verify patch application with OPatch and confirm no rollback occurred