Oracle has released its Critical Security Patch Update (CSPU) for this week, including 245 new fixes for supported on-premises software. This move responds to an industry trend of announcing and fixing security vulnerabilities more quickly, complementing Oracle's traditional quarterly patch schedule. The patch set affects a wide range of products, including Oracle Enterprise Manager, JD Edwards, Fusion Middleware, MySQL, PeopleSoft, and others.

Goal: Targeted, High-Priority Patches

Oracle states that its goal is to deliver specific, high-priority security fixes in a smaller, more focused format, making them easier to apply with minimal disruption. "Oracle performs an analysis of each security vulnerability addressed in a critical security patch update," the company said. "Oracle provides this information so that customers can conduct their own risk analysis based on their specific product usage."

Expert Analysis: Which Patches Are Most Critical?

Flavio Villanustre, CISO of LexisNexis Risk Solutions, notes that while all are classified as high priority, some patches are more concerning. "The PeopleSoft patch for CVE-2026-35273 stands out because it fixes a critical remote code execution vulnerability in Oracle PeopleSoft that is being widely exploited in real-world environments. This patch was released as an out-of-cycle security alert and requires immediate remediation," he says. "But close behind are the Oracle Fusion patches, which received about a hundred fixes, more than half classified as remote exploits without authentication. These affect components like WebLogic Server."

Some of those patches correspond to Oracle Fusion Middleware products, several of which will no longer receive support from Oracle by the end of this year. However, Villanustre does not consider the number of vulnerabilities detected in them particularly alarming. He notes that "Oracle offers extended support for [Fusion Middleware] until December 2027 for those willing to pay more instead of upgrading, so it will still have support for 18 more months from now."

Scope Matters More Than Numbers

Sanchit Vir Gogia, chief analyst at Greyhound Research, indicates that the significance of Oracle's announcement lies not in the high number of patches, but in their scope. "The important number is not the 245 patches, but where they are concentrated," he said. "Of the 245 fixes, 106 are in Fusion Middleware, and 53 of those can be exploited remotely without authentication. That's not a patch hygiene issue; it's a control plane problem."

However, the most serious flaws are not necessarily those with the highest severity scores. "They are those that combine remote access, lack of authentication, and a privileged position in layers that other systems trust," he adds.

"WebLogic Server has two such issues with maximum severity, in a product that attackers have been analyzing and attacking for years. Oracle Coherence has another, and since it's a shared component, its risk multiplies silently across the environment. Oracle Unified Directory can be taken over without authentication via LDAP. WebCenter sits on the public perimeter. Several of these vulnerabilities change scope, meaning an intrusion can affect products beyond the initially compromised one."

CVSS 10.0 Vulnerabilities: Coherence and WebLogic in the Spotlight

Chris Doyle, head of security and compliance at JupiterOne, agrees that the most concerning vulnerabilities are those that can be exploited without stealing credentials. "The vulnerabilities that stand out most are the CVSS 10.0 ones in Oracle Coherence and WebLogic Server, remotely exploitable without authentication. Coherence is foundational to many enterprise application architectures, so compromising it doesn't just affect one system; it serves as a pivot point to everything that depends on it," he explains. And he adds: "WebLogic has been a target for ransomware and cryptocurrency mining for years, and unauthenticated access to the console is precisely the entry point these campaigns seek."

Doyle also expresses concern about vulnerabilities in PeopleSoft. "The one with the most immediate urgency is CVE-2026-35273 in PeopleSoft PeopleTools, which Oracle has confirmed was already being actively exploited even before the patch was released. Additionally, PeopleSoft manages HR, finance, and student systems, which are priority targets for ransomware operators," he says. "These are deeply interconnected systems that require coordinated updates across multiple layers with regression testing at each step. Often there is no simple compensating control to buy time: you simply have to apply the patches."

The Challenge of Patching End-of-Life Products

The Fusion Middleware issues — Oracle cites more than 30 vulnerabilities in this package alone — also pose a challenge, given how most IT operations handle patching for end-of-life products.

"Organizations still using it are trying to patch a heavily targeted product while planning a migration they can't postpone. These environments are highly customized, which slows down patching, and that gap between 'patch available' and 'patch applied' is exactly when attackers strike," says Doyle. "Once support ends, new vulnerabilities may not receive any patch. Given the volume we see in this cycle, assuming the situation will calm down before the deadline is not a bet I would make."

Gogia adds that there is little good news regarding vulnerabilities not yet confirmed to have been exploited. "The absence of confirmed exploitation does not bring peace of mind. As soon as an advisory is published, attackers analyze it, reverse the fix, scan exposed enterprise environments, and compete against customers still waiting for their maintenance window," he says. "WebLogic hasn't suddenly become dangerous. It has been a target for years, and one of its previous vulnerabilities is already on the government's catalog of exploited vulnerabilities. Waiting for a public proof of exploitation is the most expensive patching strategy. By the time that proof arrives, the silent work is usually already done."

For companies looking to strengthen their security posture, having a continuous update strategy is essential. Advanced solutions in Microsoft Azure address how the cloud can facilitate patch management. Additionally, Business productivity with Microsoft 365 offers tools to optimize IT processes. On the other hand, Digital identity for AI agents and Estonia's initiative show how robust authentication can mitigate risks. Likewise, European technological sovereignty is a relevant topic in the security context. Finally, MCP gets its missing enterprise authorization layer highlights the importance of access controls.

Original source: ComputerWorld. Analysis and adaptation by ForgeNEX.