CRITICAL 3 min read 2 Apr 2026

Oracle and Cisco Zero-Days: Unauthenticated RCE Targeting Identity and Management Infrastructure

Emergency patches issued for Oracle Identity Manager and WebLogic (CVE-2026-21992, CVE-2026-21962) following zero-day exploitation. Cisco Secure FMC (CVE-2026-20131) and Juniper PTX (CVE-2026-21902) face critical unauthenticated RCE risks.

Key findings
01
Oracle Identity Management Cluster (CVE-2026-21992 & CVE-2026-21962)
CRITICAL
[High] Confidence: High Oracle has released emergency security alerts addressing two critical unauthenticated remote code execution (RCE) vulnerabilities. CVE-2026-21992 (CVSS 9.8) affects Oracle Identity Manager, with evidence of zero-day exploitation in the wild.
CVE-2026-21992
02
Cisco Secure FMC Zero-Day (CVE-2026-20131)
CRITICAL
[High] Confidence: High A critical unauthenticated RCE (CVSS 10.0) in Cisco Secure Firewall Management Center (FMC) is being actively exploited. Intelligence indicates the Interlock ransomware group has weaponised this vulnerability since at least 26 January 2026, creating a significant detection blind spot for affected organisations.
CVE-2026-20131
03
Juniper Junos OS Evolved PTX RCE (CVE-2026-21902)
CRITICAL
[High] Confidence: High Juniper has disclosed a CVSS 10.0 vulnerability in Junos OS Evolved affecting high-performance PTX series routers. The flaw resides in the 'On-Box Anomaly Detection' framework and allows an unauthenticated attacker to achieve root-level RCE.
CVE-2026-21902
04
Google Chrome Zero-Day (CVE-2026-5281)
HIGH
[High] Confidence: High Google has confirmed active exploitation of CVE-2026-5281, a high-severity use-after-free vulnerability in the Dawn graphics library. All managed endpoints must be updated to Chrome version 146.0.7680.177 or later to mitigate this active risk to browser environments.
CVE-2026-5281
05
Update: F5 BIG-IP RCE Reclassification (CVE-2025-53521)
HIGH
[High] Confidence: High Update: CVE-2025-53521 has been reclassified from a Denial of Service (DoS) to a critical 9.8 RCE. Active exploitation by the China-nexus group UNC5221 is confirmed; mandatory patching to version 21.0.0 or fixed 17.x releases is required immediately.
CVE-2025-53521
06
Update: EU Commission (Europa.eu) 90GB Data Leak
HIGH
[High] Confidence: High Update: The Europa.eu breach has escalated to a massive public leak, with a 90GB archive now circulating on dark web sites. The stolen data includes internal emails and contracts, resulting from a February compromise of staff mobile devices.
07
Update: Fortinet FortiClient EMS (CVE-2026-21643)
HIGH
[High] Confidence: High Update: The confirmed exploitation window for the Fortinet EMS vulnerability has been backdated to 24 March 2026. Organisations should audit logs from this date for SQL injection attempts and verify the installation of patch 7.4.5+.
CVE-2026-21643
08
Update: Axios NPM Trojan (UNC1069)
HIGH
[High] Confidence: High Update: Google GTIG has formally attributed the malicious Axios npm packages to the North Korean state-sponsored actor BlueNoroff (UNC1069). Maintainers must audit pinned dependencies and rotate all potentially exposed credentials.

Oracle and Cisco Zero-Days: Unauthenticated RCE Targeting Identity and Management Infrastructure

Guidance: Title must contain specific identifiers (CVE-xxxx or Threat Actor name). Never generic.

Oracle Identity Management Cluster (CVE-2026-21992 & CVE-2026-21962)

Confidence: High

Oracle has released emergency security alerts addressing two critical unauthenticated remote code execution (RCE) vulnerabilities. CVE-2026-21992 (CVSS 9.8) affects Oracle Identity Manager, with evidence of zero-day exploitation in the wild. Simultaneously, CVE-2026-21962 (CVSS 10.0) targets the proxy functionality in Oracle WebLogic, allowing full system compromise without credentials.

The exploitation of identity infrastructure represents a Tier-0 threat to UK and EU enterprise environments, potentially allowing attackers to bypass all authentication controls. Given the confirmed zero-day activity, organisations using affected Oracle components must apply the emergency patches immediately and audit for unauthorised account creation or modification.

Cisco Secure FMC Zero-Day (CVE-2026-20131)

Confidence: High

A critical unauthenticated RCE (CVSS 10.0) in Cisco Secure Firewall Management Center (FMC) is being actively exploited. Intelligence indicates the Interlock ransomware group has weaponised this vulnerability since at least 26 January 2026, creating a significant detection blind spot for affected organisations.

The vulnerability allows attackers to gain administrative control over the firewall management platform, potentially facilitating network-wide lateral movement and data exfiltration. Security teams must review Cisco FMC logs back to late January for indicators of compromise (IoCs) and prioritise the deployment of Cisco's remediation guidance.

Juniper Junos OS Evolved PTX RCE (CVE-2026-21902)

Confidence: High

Juniper has disclosed a CVSS 10.0 vulnerability in Junos OS Evolved affecting high-performance PTX series routers. The flaw resides in the 'On-Box Anomaly Detection' framework and allows an unauthenticated attacker to achieve root-level RCE. This poses a direct threat to Critical National Infrastructure (CNI) and ISP-grade hardware in the UK and EU.

Google Chrome Zero-Day (CVE-2026-5281)

Confidence: High

Google has confirmed active exploitation of CVE-2026-5281, a high-severity use-after-free vulnerability in the Dawn graphics library. All managed endpoints must be updated to Chrome version 146.0.7680.177 or later to mitigate this active risk to browser environments.

Update: F5 BIG-IP RCE Reclassification (CVE-2025-53521)

Confidence: High

Update: CVE-2025-53521 has been reclassified from a Denial of Service (DoS) to a critical 9.8 RCE. Active exploitation by the China-nexus group UNC5221 is confirmed; mandatory patching to version 21.0.0 or fixed 17.x releases is required immediately.

Update: EU Commission (Europa.eu) 90GB Data Leak

Confidence: High

Update: The Europa.eu breach has escalated to a massive public leak, with a 90GB archive now circulating on dark web sites. The stolen data includes internal emails and contracts, resulting from a February compromise of staff mobile devices.

Update: Fortinet FortiClient EMS (CVE-2026-21643)

Confidence: High

Update: The confirmed exploitation window for the Fortinet EMS vulnerability has been backdated to 24 March 2026. Organisations should audit logs from this date for SQL injection attempts and verify the installation of patch 7.4.5+.

Update: Axios NPM Trojan (UNC1069)

Confidence: High

Update: Google GTIG has formally attributed the malicious Axios npm packages to the North Korean state-sponsored actor BlueNoroff (UNC1069). Maintainers must audit pinned dependencies and rotate all potentially exposed credentials.

Why This Matters

The simultaneous disclosure of multiple unauthenticated RCEs in core identity and perimeter infrastructure (Oracle, Cisco, F5) indicates a high-intensity period of infrastructure targeting. The reclassification of F5 and the scale of the EU Commission leak further exacerbate the regional threat landscape.

  • Recommended Actions
  • Apply Oracle emergency patches for Identity Manager and WebLogic immediately.
  • Audit Cisco FMC logs back to 26 January 2026 for Interlock ransomware activity.
  • Force update Chrome to version 146.0.7680.177+ across all fleets.
  • Implement F5 BIG-IP patches following the 9.8 RCE reclassification.

All findings grounded in A13E intelligence sweeps through 04:30 UTC 02 April 2026.

ciscocve-2025-53521cve-2026-20131cve-2026-21643cve-2026-21902cve-2026-21962cve-2026-21992cve-2026-5281oracle

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed