The Oracle Critical Security Patch update (CSPU) released this week contains 245 newly-announced fixes for supported on-premises software, some of which impact multiple products. It is in reaction to an industry trend to announce and fix security holes much more quickly, and complements Oracle’s traditional quarterly patch schedule. The current batch of patches affects a wide range of products, including Oracle Enterprise Manager, JD Edwards, Fusion Middleware, MySQL, Peoplesoft, and others.Oracle said its aim is to provide targeted, high-priority security fixes in a smaller, more focused format, making them easier to apply with minimal disruption. “Oracle conducts an analysis of each security vulnerability addressed by a Critical Security Patch Update,” the company said. “Oracle provides this information so that customers may conduct their own risk analysis based on the particulars of their product usage.”Flavio Villanustre, CISO for LexisNexis Risk Solutions, said that although they’re all designated high priority, he viewed some of the patches as more concerning. “The PeopleSoft patch for CVE-2026-35273 stands out [because] it addresses a critical remote code execution vulnerability in Oracle PeopleSoft, which is widely exploited in the wild. This patch was released as an out-of-band Security Alert and requires immediate remediation,” Villanustre said. “But not far behind, there are the patches to Oracle Fusion, which received a hundred or so patches with more than half classified as remote exploits without authentication. These affect components such as WebLogic Server.”Some of those patches were for Oracle Fusion Middleware products, a number which are reaching end of support from Oracle by the end of the year. Villanustre, however, did not see the many security holes identified within them as especially concerning. He pointed out, “Oracle offers extended support for [Fusion Middleware] until December 2027 for those with the appetite to pay more money in lieu of upgrading, so it will still be supported for 18 more months, starting now.” Sanchit Vir Gogia, chief analyst at Greyhound Research, said that the significance of the Oracle announcement is not in the very large number of patches but in their scope.“The figure worth watching is not the 245 patches but where they land,” he noted. “Of the 245 fixes, 106 sit in Fusion Middleware and 53 of those can be reached remotely without authentication. That is not patch hygiene. That is a control-plane problem.”The most serious flaws, however, are not those with the highest severity scores. “They are the ones that combine remote reach, absent authentication and privileged placement in layers that other systems are built to trust,” he said. “WebLogic Server carries two such issues at the maximum severity, on a product attackers have scanned for and targeted for years,” he noted. “Oracle Coherence carries another, and Coherence is a shared component, so its risk multiplies quietly across the estate. Oracle Unified Directory can be taken over without authentication over LDAP. WebCenter sits at the public edge. Several of these flaws change scope, meaning one compromise can reach products well beyond the one first breached.”Chris Doyle, the head of security and compliance at JupiterOne, said that, like Gogia, the vulnerabilities that concerned him the most were those that could be executed without having to bother to steal credentials.“The flaws that stand out the most are the CVSS 10.0 vulnerabilities in Oracle Coherence and WebLogic Server, remotely exploitable with no authentication required. Coherence sits underneath a lot of enterprise application stacks, so compromising it isn’t just one system, it’s a pivot point into everything that depends on it,” Doyle said. And, he added, “WebLogic has been a ransomware and crypto mining target for years and unauthenticated console access is exactly the foothold those campaigns look for.”Doyle said he was also worried about the PeopleSoft holes.“The one carrying the most immediate urgency is CVE-2026-35273 in PeopleSoft PeopleTools, which Oracle confirmed was already being actively exploited before this patch even shipped, and PeopleSoft runs the HR, finance, and student systems that ransomware operators specifically target,” Doyle said. “These are deeply coupled systems that require coordinated upgrades across multiple layers with regression testing at each step. There’s often no easy compensating control to buy time, you just have to patch your way through it.”The Fusion Middleware problems — Oracle cited more than 30 vulnerabilities in this batch alone — also presented a problem, given how most enterprise IT operations handle patching for EOL products.“Organizations still on it are now trying to patch a heavily targeted product while simultaneously planning a migration they can’t defer. These environments are heavily customized, which makes patching slow, and that gap between ‘patch available’ and ‘patch applied’ is exactly when attackers move,” Doyle said. “Once support ends, new vulnerabilities may get no patch at all,” he noted. “Given the volume we’re seeing in just this one cycle, assuming things will quiet down before the sunset deadline isn’t a bet I’d want to make.”Gogia added that there is little good news associated with the security holes that have not been confirmed as having been used by attackers. “The absence of confirmed exploitation elsewhere is no comfort. Once an advisory is published, attackers read it, reverse the fix, scan the exposed enterprise environments and race the customers still waiting on a maintenance window,” Gogia said. “WebLogic has not suddenly become dangerous. It has been a standing target for years, and one of its earlier flaws already sits on the [Known Exploited Vulnerabilities] government catalogue. Waiting for public proof of exploitation is the most expensive patch strategy on the menu. By the time the proof arrives, the quiet work is generally done.”