Oracle has launched security updates to deal with a essential security flaw impacting Id Supervisor and Internet Providers Supervisor that could possibly be exploited to realize distant code execution.
The vulnerability, tracked as CVE-2026-21992, carries a CVSS rating of 9.8 out of a most of 10.0.
“This vulnerability is remotely exploitable with out authentication,” Oracle stated in an advisory. “If efficiently exploited, this vulnerability could end in distant code execution.”
CVE-2026-21992 impacts the next variations –
- Oracle Id Supervisor variations 12.2.1.4.0 and 14.1.2.1.0
- Oracle Internet Providers Supervisor variations 12.2.1.4.0 and 14.1.2.1.0
In line with an outline of the flaw within the NIST Nationwide Vulnerability Database (NVD), it is “simply exploitable” and will enable an unauthenticated attacker with community entry through HTTP to compromise Oracle Id Supervisor and Oracle Internet Providers Supervisor. This, in flip, may end up in the profitable takeover of prone cases.
Oracle makes no point out of the vulnerability being exploited within the wild. Nevertheless, the tech large has urged prospects to use the replace immediately for optimum safety.
In November 2025, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added CVE-2025-61757 (CVSS rating: 9.8), a pre-authenticated distant code execution flaw impacting Oracle Id Supervisor, to the Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
