Patch

• Oracle Patches Critical CVE-2026-21992 Enabling Unauthenticated RCE in Identity Manager March 24, 2026

  Oracle issued an out-of-band emergency patch on March 19 for CVE-2026-21992, a CVSS 9.8 unauthenticated RCE affecting Oracle Identity Manager and Web Services Manager. If your org runs either product on versions 12.2.1.4.0 or 14.1.2.1.0, patching cannot wait for the next quarterly cycle.

• When the Management Plane Falls: CVE-2025-32975 and the Quest KACE SMA Problem March 24, 2026

  CVE-2025-32975 is a CVSS 10.0 authentication bypass in Quest KACE SMA, actively exploited since the week of March 9, 2026. Arctic Wolf has documented the full attack chain: initial access via the auth bypass, Mimikatz credential harvesting, and lateral movement to domain controllers and backup infrastructure.