Replace: Added that Oracle declined to touch upon whether or not the vulnerability has been exploited.
Oracle has launched an out-of-band security replace to repair a essential unauthenticated distant code execution vulnerability in Id Supervisor and Net Companies Supervisor tracked as CVE-2026-21992.
Oracle Id Supervisor is used for managing identities and entry throughout an enterprise, whereas Oracle Net Companies Supervisor gives security and administration controls for net companies.
In an advisory launched yesterday, Oracle is “strongly” recommending that prospects apply the patches as quickly as doable.
“This Safety Alert addresses vulnerability CVE-2026-21992 in Oracle Id Supervisor and Oracle Net Companies Supervisor. This vulnerability is remotely exploitable with out authentication. If efficiently exploited, this vulnerability might lead to distant code execution,” reads the security advisory.
“Oracle strongly recommends that prospects apply the updates or mitigations supplied by this Safety Alert as quickly as doable. Oracle all the time recommends that prospects stay on actively-supported variations and apply all Safety Alerts and Vital Patch Replace security patches immediately.”
The CVE-2026-21992 vulnerability has a CVSS v3.1 severity rating of 9.8 and impacts Oracle Id Supervisor variations 12.2.1.4.0 and 14.1.2.1.0, in addition to Oracle Net Companies Supervisor variations 12.2.1.4.0 and 14.1.2.1.0.
Oracle says the flaw is of low complexity, remotely exploitable over HTTP, and doesn’t require authentication or person interplay, growing the chance of exploitation on uncovered servers.
The repair was launched by its Safety Alert program, which delivers out-of-schedule fixes or mitigations for essential or actively exploited vulnerabilities. Nevertheless, Oracle says that patches launched by these packages are solely supplied for variations below Premier or Prolonged Help, and older unsupported variations could also be susceptible.
Oracle has not disclosed whether or not the vulnerability has been exploited and declined to remark when BleepingComputer requested about its exploitation standing.
In a separate weblog publish printed immediately, Oracle as soon as once more famous the severity of CVE-2026-21992 and warned prospects to evaluate the security alert for full particulars and patch data.
Malware is getting smarter. The Pink Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your security stack is blinded.
