On Monday, the US Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerability Catalog to include a critical flaw that affects Oracle Fusion Middleware systems. The bug has been confirmed to be exploited in the wild. The CISA stated that the flaw allows unauthenticated attackers with network access to compromise Oracle Access Manager, which can result in the program’s takeover. The flaw has been assigned a CVSS score of 9.8, classifying it as high severity.
Tracked as CVE-2021-35587, the flaw was addressed by Oracle last January in its Critical Patch Update Advisory. CISA’s recent addition of the flaw means that systems have not been updated since the breach disclosure, leading to its exploitation in the wild. Security firm Synopsys Software Integrity Group states that news of vulnerabilities being exploited in the wild should be a sign for security teams to implement patches immediately, if not done so already. Otherwise, the risks of unsecured software continue to rise as the flaws are targeted by cyberattackers.