{"id":33660,"date":"2026-05-06T00:00:34","date_gmt":"2026-05-05T22:00:34","guid":{"rendered":"https:\/\/www.proactivanet.com\/?p=33660"},"modified":"2026-05-05T10:03:02","modified_gmt":"2026-05-05T08:03:02","slug":"oracle-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.proactivanet.com\/en\/blog\/proactivanet-en\/oracle-vulnerabilities\/","title":{"rendered":"Oracle under attack: 241 critical vulnerabilities your infrastructure can't ignore"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">The <\/span><b>Oracle Database vulnerabilities<\/b><span style=\"font-weight: 400;\"> are back in the news. In April 2026, Oracle released its quarterly critical security update (CPU) with patches for 241 vulnerabilities, 18 of them classified as critical. If your organization uses Oracle Database, MySQL, WebLogic, GoldenGate or any other product in the Oracle ecosystem, you need to take action.<\/span><\/p>\n<p><b>In summary:<\/b><span style=\"font-weight: 400;\"> Oracle has released 241 security patches in April 2026, including 18 critical vulnerabilities affecting Oracle Database Server, MySQL and dozens of additional products. Without an up-to-date asset inventory, it is impossible to know if you are exposed.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><b>What are Oracle Database vulnerabilities and why do they matter?<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">An <\/span><b>Oracle Database vulnerability<\/b><span style=\"font-weight: 400;\"> is a security flaw in Oracle database software that can be exploited by attackers to access, modify or destroy data, escalate privileges or compromise connected systems.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Oracle releases its patches on a quarterly basis through the <\/span><b>Critical Patch Update (CPU)<\/b><span style=\"font-weight: 400;\">a consolidated process that groups together all the failures detected in the previous period. This means that weeks of exposure can accumulate between upgrades if you don't have visibility into which versions are deployed in your organization.<\/span><\/p>\n<p><b>Key points:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Oracle releases security patches 4 times a year (January, April, July, October).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The April 2026 CPU includes 241 vulnerabilities in more than 100 Oracle products.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">18 of these vulnerabilities have critical severity (maximum CVSS score).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Affected products include Oracle Database Server, MySQL Server, WebLogic, GoldenGate and OCI.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Without an up-to-date asset inventory, it is not possible to prioritize and execute the correct patches.<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2><b>Most critical Oracle products affected in April 2026<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The notice published by INCIBE-CERT on April 22, 2026 details the products with the highest risk. These have the greatest impact on typical business infrastructures:<\/span><\/p>\n<p><b>Oracle Database Server<\/b><span style=\"font-weight: 400;\"> (versions 12.1.0.2 to 23.26.1) - the data core of thousands of organizations in Spain and LATAM. 8 new security patches specific to this product.<\/span><\/p>\n<p><b>MySQL Server<\/b><span style=\"font-weight: 400;\"> (versions 8.0 to 9.6) - widely used in web applications and hybrid environments. It also affects MySQL Workbench, MySQL Shell and MySQL Connectors.<\/span><\/p>\n<p><b>Oracle WebLogic Server<\/b><span style=\"font-weight: 400;\"> (versions 12.2.1.4 through 15.1.1.0) - critical in enterprise middleware environments.<\/span><\/p>\n<p><b>Oracle GoldenGate<\/b><span style=\"font-weight: 400;\"> - 10 new patches for the real-time data replication engine.<\/span><\/p>\n<p><b>Oracle REST Data Services and Graph Server<\/b><span style=\"font-weight: 400;\"> - relevant for modern and cloud architectures.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-33655 size-full\" src=\"https:\/\/www.proactivanet.com\/wp-content\/uploads\/2026\/05\/Diagrama-de-ecosistema-Oracle_es.jpg\" alt=\"Oracle under attack: 241 critical vulnerabilities your infrastructure can't ignore\" width=\"720\" height=\"393\" srcset=\"https:\/\/www.proactivanet.com\/wp-content\/uploads\/2026\/05\/Diagrama-de-ecosistema-Oracle_es.jpg 720w, https:\/\/www.proactivanet.com\/wp-content\/uploads\/2026\/05\/Diagrama-de-ecosistema-Oracle_es-300x164.jpg 300w, https:\/\/www.proactivanet.com\/wp-content\/uploads\/2026\/05\/Diagrama-de-ecosistema-Oracle_es-640x349.jpg 640w\" sizes=\"(max-width: 720px) 100vw, 720px\" \/><\/p>\n<h2><b>The real problem: you don't know which Oracle versions you have deployed.<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Herein lies the real risk. It's not just applying the patch - it's <\/span><b>know what needs to be patched<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In medium to large organizations, the Oracle ecosystem may be distributed across multiple servers, development, pre-production and production environments, cloud instances (OCI) and legacy systems. Without an up-to-date and automated software inventory, the vulnerability response process becomes an inefficient and error-prone manual search.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The consequences of not having visibility are:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Vulnerable versions that remain unpatched for weeks or months.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Non-compliance with the ENS (National Security Scheme) or NIS2.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Exposure to failed audits and regulatory sanctions.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Attack surface unknown to the security team.<\/span><\/li>\n<\/ul>\n<h3><\/h3>\n<h3><b>How does Proactivanet help manage Oracle Database vulnerabilities?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Proactivanet includes a module for <\/span><b>technology asset inventory<\/b><span style=\"font-weight: 400;\"> that automatically detects and registers all Oracle DBMSs deployed in the infrastructure, including installed versions, location (on-premise or cloud), upgrade status and dependencies.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This means that, in the event of an alert such as the April 2026 CPU alert, the IT team can respond within minutes:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Identify which Oracle instances are affected by each CVE.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Prioritize patches according to criticality and actual exposure.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Document the remediation process for regulatory compliance.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Repeat the process in an agile manner in each quarterly Oracle cycle.<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">In addition, the new inventory module of <\/span><b>Oracle Cloud Infrastructure (OCI)<\/b><span style=\"font-weight: 400;\"> extends this visibility to cloud assets, enabling unified on-premise + cloud management from a single platform.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\ud83d\udc49 <a href=\"https:\/\/www.proactivanet.com\/en\/discovery-it-asset-management\/\">Discover Proactivanet's asset inventory module.<\/a> <\/span><\/p>\n<p><i><\/i><a href=\"https:\/\/www.proactivanet.com\/en\/discovery-it-asset-management\/cyberitam\/\"><span style=\"font-weight: 400;\">\ud83d\udc49 How Proactivanet helps ENS and NIS2 compliance <\/span><\/a><\/p>\n<h2><\/h2>\n<h2><b>Best practices for responding to Oracle CPU<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Managing Oracle Database vulnerabilities efficiently requires a repeatable process. These are the key recommendations:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Sign up for INCIBE-CERT alerts<\/b><span style=\"font-weight: 400;\"> to receive CPU Oracle notifications every quarter.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Maintain a dynamic inventory<\/b><span style=\"font-weight: 400;\"> of all installed Oracle products, with exact version.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Prioritize by CVSS criticality<\/b><span style=\"font-weight: 400;\"> - CVEs with a score of 9.0+ are the first to be remediated.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Test patches in staging environment<\/b><span style=\"font-weight: 400;\"> before applying them in production.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Document every action<\/b><span style=\"font-weight: 400;\"> for regulatory compliance (ENS, NIS2, ISO 27001).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Extend visibility to OCI<\/b><span style=\"font-weight: 400;\"> if you have Oracle workloads in the cloud.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">\ud83d\udd17 Reference source:<\/span><a href=\"https:\/\/www.incibe.es\/incibe-cert\/alerta-temprana\/avisos\/actualizaciones-criticas-en-oracle-abril-2026\" target=\"_blank\" rel=\"noopener\"> <span style=\"font-weight: 400;\">INCIBE-CERT Notice - Critical Oracle Updates (April 2026)<\/span><\/a> <i><span style=\"font-weight: 400;\">(external link DoFollow)<\/span><\/i><\/p>\n<p>&nbsp;<\/p>\n<h2><b>Do you know exactly which Oracle versions you have in your infrastructure?<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">If the answer is not an immediate \"yes,\" there is a visibility gap to resolve before Oracle's next CPU in July 2026.<\/span><\/p>\n<p><b>Proactivanet helps you take full control of your Oracle inventory - on-premise and in OCI - so that no critical vulnerability goes unnoticed.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">\ud83d\udc49 Request a <a href=\"https:\/\/www.proactivanet.com\/en\/contact\/\">free demo<\/a> and discover how thousands of organizations manage their Oracle ecosystem with Proactivanet.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><b>Frequently Asked Questions about Oracle Database Vulnerabilities<\/b><\/h2>\n<ul>\n<li><b>How often does Oracle release security updates?<\/b><span style=\"font-weight: 400;\"> Oracle publishes its Critical Patch Update (CPU) on a quarterly basis, in January, April, July and October. Each release groups together all security flaws detected since the previous cycle. It is essential to have an inventory of the installed versions before each cycle in order to be able to act quickly.<\/span><\/li>\n<li><b>Do these vulnerabilities also affect Oracle Cloud Infrastructure (OCI)?<\/b><span style=\"font-weight: 400;\"> Yes. The April 2026 CPU includes patches for OCI components such as Management Cloud Engine and other Oracle cloud services. If your organization has migrated workloads to OCI, you need to extend your asset inventory to the cloud environment as well.<\/span><\/li>\n<li><b>What is the regulatory risk of not patching Oracle vulnerabilities in time?<\/b><span style=\"font-weight: 400;\"> Failure to apply critical patches within a reasonable period of time can result in non-compliance with the National Security Scheme (ENS), the NIS2 directive or ISO 27001, depending on the industry and type of organization. In the event of an incident, the absence of a documented vulnerability management process increases the organization's liability.<\/span><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>The Oracle Database vulnerabilities are back in the news. In April...  <\/p>\n<div class=\"read-more mt-4 text-blue text-xs\"><\/div>\n","protected":false},"author":7,"featured_media":33685,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1930,1856,1848],"tags":[],"class_list":["post-33660","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ciberseguridad","category-compliance-13-quick-steps-to-meet-the-most-demanding-security-frameworks","category-proactivanet-en"],"acf":{"is_icon":""},"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/www.proactivanet.com\/en\/wp-json\/wp\/v2\/posts\/33660","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.proactivanet.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.proactivanet.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.proactivanet.com\/en\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.proactivanet.com\/en\/wp-json\/wp\/v2\/comments?post=33660"}],"version-history":[{"count":3,"href":"https:\/\/www.proactivanet.com\/en\/wp-json\/wp\/v2\/posts\/33660\/revisions"}],"predecessor-version":[{"id":33688,"href":"https:\/\/www.proactivanet.com\/en\/wp-json\/wp\/v2\/posts\/33660\/revisions\/33688"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.proactivanet.com\/en\/wp-json\/wp\/v2\/media\/33685"}],"wp:attachment":[{"href":"https:\/\/www.proactivanet.com\/en\/wp-json\/wp\/v2\/media?parent=33660"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.proactivanet.com\/en\/wp-json\/wp\/v2\/categories?post=33660"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.proactivanet.com\/en\/wp-json\/wp\/v2\/tags?post=33660"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}