Oracle has released its Critical Security Patch Update (CSPU) with 245 new fixes for supported on-premises software, covering products such as Oracle Enterprise Manager, JD Edwards, Fusion Middleware, MySQL, and PeopleSoft. This move responds to an industry trend of announcing and fixing vulnerabilities more quickly, complementing the traditional quarterly patch schedule.

Oracle states that its goal is to deliver specific, high-priority security fixes in a smaller, more focused format, making them easier to apply with minimal disruption. “Oracle performs an analysis of each security vulnerability addressed in a critical security patch update,” the company said. “Oracle provides this information so customers can conduct their own risk analysis based on their specific product usage.”

Critical Vulnerabilities: Beyond the Numbers

Flavio Villanustre, CISO of LexisNexis Risk Solutions, notes that while all patches are classified as high priority, some are more concerning. “The PeopleSoft patch for CVE-2026-35273 stands out because it fixes a critical remote code execution vulnerability in Oracle PeopleSoft that is being widely exploited in real-world environments. This patch was released as an out-of-cycle security alert and requires immediate remediation,” he says. “But close behind are the Oracle Fusion patches, which received about a hundred fixes, more than half classified as remote exploits without authentication. These affect components like WebLogic Server.”

Some of those patches correspond to Oracle Fusion Middleware products, several of which will reach end of support later this year. However, Villanustre does not consider the number of vulnerabilities detected in them alarming, noting that “Oracle offers extended support for [Fusion Middleware] until December 2027 for those willing to pay more instead of upgrading, so it will still have support for 18 more months from now.”

The Scope of the Patches: Fusion Middleware in the Spotlight

Sanchit Vir Gogia, chief analyst at Greyhound Research, indicates that the importance of the announcement lies not in the number of patches but in their scope. “The important number is not the 245 patches, but where they are concentrated,” he said. “Of the 245 fixes, 106 are in Fusion Middleware, and 53 of them can be exploited remotely without authentication. That's not a patch hygiene issue; it's a control plane problem.”

However, the most serious flaws are not necessarily those with the highest severity scores. “They are those that combine remote access, lack of authentication, and a privileged position in layers that other systems trust,” he adds. “WebLogic Server has two such issues with maximum severity, in a product that attackers have been analyzing and attacking for years. Oracle Coherence has another, and since it's a shared component, its risk silently multiplies across the environment. Oracle Unified Directory can be taken over without authentication via LDAP. WebCenter sits on the public perimeter. Several of these vulnerabilities change scope, meaning an intrusion can affect products beyond the initially compromised one.”

Chris Doyle, head of security and compliance at JupiterOne, agrees that the most concerning vulnerabilities are those that can be exploited without stealing credentials. “The vulnerabilities that stand out most are the CVSS 10.0 ones in Oracle Coherence and WebLogic Server, remotely exploitable without authentication. Coherence is foundational to many enterprise application architectures, so compromising it doesn't just affect one system; it serves as a pivot point to everything that depends on it,” he explains. “And WebLogic has been a target for ransomware and cryptocurrency mining for years, and unauthenticated access to the console is precisely the entry point these campaigns seek.”

PeopleSoft: Active Exploitation and Immediate Urgency

Doyle also expresses concern about vulnerabilities in PeopleSoft. “The one with the most immediate urgency is CVE-2026-35273 in PeopleSoft PeopleTools, which Oracle confirmed was already being actively exploited even before the patch was released. Additionally, PeopleSoft manages HR, finance, and student systems, which are prime targets for ransomware operators,” he says. “These are deeply interconnected systems that require coordinated updates across multiple layers with regression testing at each step. Often there is no simple compensating control to buy time: you just have to apply the patches.”

The Fusion Middleware issues—Oracle cites more than 30 vulnerabilities in this package alone—also pose a challenge, given how most IT operations handle patching for end-of-life products. “Organizations still using it are trying to patch a heavily targeted product while planning a migration they can't postpone. These environments are highly customized, which slows down patching, and that gap between 'patch available' and 'patch applied' is exactly when attackers strike,” Doyle notes. “Once support ends, new vulnerabilities may not receive any patch. Given the volume we see in this cycle, assuming things will calm down before the deadline is not a bet I would make.”

The Race Against Time: Patching Before It's Too Late

Gogia adds that there is little good news regarding vulnerabilities not yet confirmed as exploited. “The absence of confirmed exploitation is not reassuring. As soon as an advisory is published, attackers analyze it, reverse the fix, scan exposed enterprise environments, and race against customers still waiting for their maintenance window,” he says. “WebLogic hasn't suddenly become dangerous. It has been a target for years, and one of its previous vulnerabilities is already in the government catalog of exploited vulnerabilities. Waiting for public proof of exploitation is the most expensive patching strategy. By the time that proof arrives, the quiet work is usually already done.”

This scenario underscores the importance of having a robust and updated infrastructure, such as that discussed in our analysis on virtualization with Proxmox. Additionally, automating security processes can be key, as described in our security guide with n8n and AI. For environments already exploring AI, automated code review, as discussed in this article, can help detect vulnerabilities before they are exploited.

Original source: ComputerWorld. Analysis and adaptation by ForgeNEX.