Unauthenticated RCE in Oracle IdM (CVE-2026-21992): Who is patching tonight?

Saw the advisory drop today. CVE-2026-21992 is a nightmare scenario. We're looking at a CVSS score of 9.8 for an unauthenticated RCE impacting both Oracle Identity Manager and Web Services Manager. Oracle explicitly noted in their advisory that this is remotely exploitable without authentication. If you have this exposed externally, you are effectively operating an open door for attackers right now.

What makes this particularly nasty is the target: Identity Manager. If an attacker gains RCE here, they likely have the keys to the kingdom regarding your SSO and user provisioning flows. The complexity of patching Oracle stacks is no joke, but with a 9.8, we don't have the luxury of waiting.

For those of us managing Windows-based deployments, I quickly threw together a PowerShell snippet to help identify potentially vulnerable instances by checking the file properties of the core WAR files. This isn't a substitute for the official OPatch check, but it helps triage assets fast:

$paths = @("C:\Oracle\Middleware", "D:\Oracle\Middleware")
foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -Filter "idm.war" -ErrorAction SilentlyContinue | 
        Select-Object FullName, @{N="Version"; E={(Get-Item $_.FullName).VersionInfo.FileVersion}}
    }
}

Also, keep an eye on your WebLogic logs if IdM is deployed there. Given the CVSS score, I'm assuming everyone is prioritizing this over the standard quarterly update cycle. How are you handling the downtime? Is everyone going with the out-of-band emergency patch, or are you relying on WAF rules until the next maintenance window?