CVE-2026-21992: Oracle Identity Manager RCE - Emergency Patching?

Just saw the drop on CVE-2026-21992. This one is shaping up to be a potential nightmare for Oracle IAM shops. We've got a critical vulnerability in Oracle Identity Manager and Web Services Manager with a CVSS score of 9.8.

The advisory explicitly states this is remotely exploitable without authentication. That combination—RCE + No Auth—means we need to treat this as a critical incident. If your OIM instances are facing the web, assume they are being scanned already.

Technical Details

• CVE ID: CVE-2026-21992
• CVSS: 9.8 (Critical)
• Impact: Remote Code Execution (RCE)
• Affected: Oracle Identity Manager, Web Services Manager

If you are in a Windows environment validating your patch status, you can run this PowerShell snippet to identify potentially vulnerable installations (version comparison logic pending the full advisory details):

Get-WmiObject -Class Win32_Product | Where-Object {
    $_.Name -like "*Identity Manager*" -or $_.Name -like "*Web Services Manager*"
} | Select-Object Name, Version

Until you patch, I recommend strict network segmentation. Ensure the management console is not accessible from the internet and restrict access to trusted internal subnets only. I'm also hunting for suspicious java.exe child processes spawning from the WebLogic or OIM service accounts.

Who else is dealing with OIM in their environment? Are you seeing any IOCs in your wild yet, or is everyone still in the "shelter in place" phase?