Oracle has released an emergency out-of-band patch for CVE-2026-21992, a critical vulnerability in Oracle Identity Manager and Oracle Web Services Manager that scores 9.8 out of 10 on the CVSS severity scale. The flaw allows unauthenticated attackers to achieve remote code execution over HTTP — no credentials, no user interaction required, as reported by Help Net Security. Oracle broke its regular quarterly patching cycle to push this fix, which tells you how seriously they’re taking it.

For wealth management firms, this one matters a lot. Oracle Identity Manager is the backbone of access control for many financial services organisations — it manages who gets into client portals, internal systems, and sensitive financial data. A remotely exploitable, unauthenticated RCE in that system means an attacker could potentially take complete control of the identity infrastructure without needing to compromise a single user credential first. Given the regulatory expectations around client data protection under the Australian Privacy Act and ASIC’s cyber resilience guidelines, an unpatched identity management platform is a compliance risk as much as a security one.

If your firm runs Oracle Identity Manager or Oracle Web Services Manager (versions 12.2.1.4.0 or 14.1.2.1.0), apply the patch immediately. If you’re on older unsupported versions, you’re likely vulnerable too — and you should be having a serious conversation with your IT provider about an upgrade path. In the meantime, Oracle has published mitigations for organisations that can’t patch straight away, but these should be a stopgap, not a strategy.