URGENT ACTION REQUIRED
Commentary
The Oracle Critical Patch Update (CPU) for January 2026 contains 337 new security patches addressing vulnerabilities in Oracle code and third-party components. Oracle strongly recommends immediate application of these patches due to ongoing reports of malicious exploitation attempts.
Waratek customers may already be protected from attacks attempting to exploit these vulnerabilities by a Waratek RASP rule. Contact [email protected] for more specific information about how the January 2026 Oracle Critical Patch Update may impact your applications.
Critical CVSS Summary (Score 9.0 – 10.0)
Vulnerabilities with a CVSS score of 10.0 represent the maximum possible security risk, often allowing for remote code execution without credentials.
| CVE ID | CVSS | Affected Product Families | Vulnerability Impact |
| CVE-2025-66516 | 10.0 | Fusion Middleware, PeopleSoft, Construction, Commerce, Communications | Critical XXE injection via Apache Tika. |
| CVE-2026-21962 | 10.0 | Fusion Middleware (HTTP Server, WebLogic) | Remote exploit of Proxy Plug-in. |
| CVE-2025-49844 | 9.9 | Oracle Communications (Operations Monitor) | Infrastructure vulnerability in valkey. |
| CVE-2025-54988 | 9.8 | Fusion Middleware (BPM Suite) | Critical flaw in Apache Commons Compress. |
| CVE-2025-4949 | 9.8 | Fusion Middleware (Data Integrator) | Security vulnerability in Eclipse JGit. |
| CVE-2025-54874 | 9.8 | Fusion Middleware, Supply Chain (AutoVue) | Core vulnerability in OpenJPEG. |
| CVE-2025-6965 | 9.8 | MySQL Server, PeopleSoft, Siebel CRM | Vulnerability in SQLite components. |
| CVE-2026-21969 | 9.8 | Oracle Supply Chain (Agile PLM) | Supplier Portal remote exploit. |
| CVE-2025-49796 | 9.1 | Financial Services, Fusion Middleware, Hyperion, Analytics | Core vulnerability in libxml2. |
Focus Area: Key Product Families
PeopleSoft
PeopleSoft received 12 new security patches, of which 10 are remotely exploitable without authentication.
- Highest Severity: CVE-2025-66516 (CVSS 10.0) affects PeopleSoft Enterprise PeopleTools via the OpenSearch (Apache Tika) component.
- Infrastructure Risk: CVE-2025-6965 (CVSS 9.8) affects PeopleTools via SQLite.
Oracle Fusion Middleware
This family received 51 new security patches, with 47 being remotely exploitable without authentication.
- Highest Severity: CVE-2025-66516 and CVE-2026-21962 both carry a 10.0 score.
- Widespread Risk: Multiple vulnerabilities (CVSS 9.8) affect components like Apache Commons Compress, Eclipse JGit, and OpenJPEG.
Oracle E-Business Suite (EBS)
EBS includes 8 new security patches, with 2 remotely exploitable without authentication.
- Key Vulnerability: Several components, including Field Service, Human Resources, and Succession Planning, are affected by CVE-2025-48734 (CVSS 8.8) due to an issue in Apache Commons BeanUtils.
- Dependency Warning: EBS relies on Database and Fusion Middleware; customers must apply relevant patches to those underlying components as well.
Oracle Java SE
Java SE contains 11 new security patches, all of which are remotely exploitable without authentication.
- Max Score: 7.5 (CVE-2025-43368, CVE-2025-7425, and CVE-2026-21945).
- Affected Components: Key vulnerabilities impact JavaFX (WebKitGTK, libxml2, glibc) and general Security modules.
- Oracle has patched CVE-2026-21945 which is a remotely exploitable vulnerability related to how client certificates are processed during mutual TLS authentication. Under specific, non-default configurations, Java may attempt to resolve certificate authority (CA) information referenced inside a client certificate before the certificate chain is fully validated. A remote, unauthenticated client can abuse this behavior by presenting a specially crafted certificate that causes the JVM to initiate outbound connections to attacker-controlled or unexpected locations during the TLS handshake.
The practical impact is service disruption, as these connections can consume threads and CPU, eventually leading to denial of service. This vulnerability primarily affects environments that rely on mTLS and have enabled automatic retrieval of issuing CA certificates via Authority Information Access. Systems with strict uptime requirements or exposed TLS endpoints should treat this as a priority availability concern.
Applying the latest Java CPU release. Waratek customers can be immediately protected by disabling access to the /dev/urandom file using the file rule on Waratek Secure. Additionally, if it is not strictly required, customers should disable the enableAIAcaIssuers option that allows automatic CA issuer retrieval during certificate path validation.
Threat Intelligence: Active Attacks and Zero-Days
- Active Attacks: External research indicates that CVE-2025-66516 (CVSS 10.0), a critical XXE vulnerability in Apache Tika, has been subject to intense industry scrutiny and reports of active exploitation in the wild across various platforms.
- Recent Exploitation History: Oracle notes that attackers have previously succeeded in exploiting vulnerabilities because customers failed to apply patches in a timely manner.
- Zero-Day Status: While the January 2026 advisory does not explicitly tag a new “zero-day” in its release notes, the high volume of critical CVSS 10.0 flaws (like CVE-2026-21962) suggests they may be prioritized by threat actors immediately following disclosure.
For More Information
Waratek Customers should contact [email protected] for more specific information about the January 2026 Oracle Critical Patch Update.
If you are interested in how Waratek can block attacks against known and Zero Day vulns and help patch / protect your applications with no downtime or source code changes, please contact [email protected].
ABOUT WARATEK
Waratek offers the only compiler-based, runtime application tools that finds vulnerabilities in the pre-production development pipeline, blocks attacks in production, and virtually patches flaws with no downtime or source code changes. Waratek IAST watches code execute to identify security flaws with absolute certainty, eliminating the “guesswork” and alert fatigue associated with traditional scanners. Waratek RASP intercepts and terminates unsafe operations at the JVM level, stopping attempts to change app behavior in attacks aimed at known and Zero Day vulnerabilities. Waratek is a trusted partner for organizations in industries like finance services, hospitality, healthcare, and technology. Waratek has offices in Dublin, Ireland and Chicago, Illinois.
