Alerts

Oracle January 2026 Critical Patch Update Fixes 336 Vulnerabilities Including CVSS 10.0 Fusion Middleware Flaw

Zero Day Wire

1 min read
Oracle January 2026 Critical Patch Update Fixes 336 Vulnerabilities Including CVSS 10.0 Fusion Middleware Flaw

Oracle has released its January 2026 Critical Patch Update (CPU), addressing 336 new security vulnerabilities across its enterprise software portfolio. Among the most severe is a maximum-severity flaw in Oracle Fusion Middleware that could allow attackers to seize complete control of affected servers without authentication.

The Critical Flaw

The vulnerability, tracked as CVE-2026-21962, carries a CVSS score of 10.0—the highest possible severity rating. It affects the Oracle HTTP Server and WebLogic Server Proxy Plug-in, critical components used to bridge web traffic to backend applications in enterprise environments.

The flaw is remotely exploitable without authentication, meaning attackers can compromise vulnerable systems over the network without requiring any credentials. Affected versions include Oracle HTTP Server 12.2.1.4.0 and 14.1.2.0.0, as well as WebLogic Server Proxy Plug-in versions 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0.

Additional CVSS 10.0 Vulnerabilities

Oracle Fusion Middleware isn't the only product family with maximum-severity flaws. The January CPU also addresses CVSS 10.0 vulnerabilities in:

  • Oracle Commerce (Guided Search and Platform, version 11.4.0)
  • Oracle Communications (multiple products)
  • Oracle PeopleSoft (Enterprise PeopleTools versions 8.60, 8.61, 8.62)

Scope of the Update

The 336 patches span virtually every major Oracle product line:

Product FamilyNew PatchesMax CVSS
Oracle Communications5610.0
Oracle Fusion Middleware5210.0
Oracle Financial Services389.1
Oracle MySQL209.8
Oracle Siebel CRM149.8
Oracle Retail Applications148.8
Oracle Virtualization148.2
Oracle PeopleSoft1210.0
Oracle Hyperion129.1
Oracle Java SE117.5

Of the 52 Fusion Middleware vulnerabilities, 47 are remotely exploitable without authentication. Oracle Communications fares similarly, with 34 of its 56 flaws exploitable without credentials.

Recommendations

Oracle strongly recommends applying patches immediately. Organizations running Oracle HTTP Server, WebLogic Server, or any affected Fusion Middleware components should prioritize patching given the unauthenticated remote exploitation vector.

Administrators should review the full advisory for product-specific patch availability and consult Oracle's support documentation for deployment guidance.

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire