Oracle has launched safety updates to handle a essential safety flaw impacting Id Supervisor and Internet Companies Supervisor that may very well be exploited to realize distant code execution.
The vulnerability, tracked as CVE-2026-21992, carries a CVSS rating of 9.8 out of a most of 10.0.
“This vulnerability is remotely exploitable with out authentication,” Oracle stated in an advisory. “If efficiently exploited, this vulnerability could lead to distant code execution.”
CVE-2026-21992 impacts the next variations –
- Oracle Id Supervisor variations 12.2.1.4.0 and 14.1.2.1.0
- Oracle Internet Companies Supervisor variations 12.2.1.4.0 and 14.1.2.1.0
In keeping with an outline of the flaw within the NIST Nationwide Vulnerability Database (NVD), it is “simply exploitable” and will permit an unauthenticated attacker with community entry by way of HTTP to compromise Oracle Id Supervisor and Oracle Internet Companies Supervisor. This, in flip, may end up in the profitable takeover of vulnerable situations.
Oracle makes no point out of the vulnerability being exploited within the wild. Nonetheless, the tech large has urged prospects to use the replace at once for optimum safety.
In November 2025, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added CVE-2025-61757 (CVSS rating: 9.8), a pre-authenticated distant code execution flaw impacting Oracle Id Supervisor, to the Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.
