Everyone β my previous thread on this was vague as hell because I didn't have the full picture yet, but Oracle just released the complete advisory and it is far more specific than "there's some bug." We're talking CVE-2026-3862 in Enterprise Edition database software (versions prior to patch 3589475) β an unpatched deserialization vulnerability that lets attackers run arbitrary code with SYS privileges via a crafted HTTP request. The craziest part is Oracle confirms this has already been weaponized against over 100 companies, which means the breach window is wide open and active.
The fix isn't "magic" though it is critical: if you're running Enterprise Edition on versions older than patch 3589475, you need to apply that patch immediately; there are also TDB patches for standalone servers and OS-level hardeners (IOPatch/TDPPatch) available for Linux and Solaris. Standard editions don't have this CVE but should still patch as a best practice. Oracle also has an advisory at oracle.com/corporate/news/oracle-alerts-customers-to-known-vulnerability-in-enterprise-edition-database-software detailing the full remediation path. Get patched β the cost of waiting is exactly what those 100 companies already paid.
Source: https://techcrunch.com/2026/06/11/oracle-warns-of-security-bug-that-hackers-abused-to-breach-100-companies/
The fix isn't "magic" though it is critical: if you're running Enterprise Edition on versions older than patch 3589475, you need to apply that patch immediately; there are also TDB patches for standalone servers and OS-level hardeners (IOPatch/TDPPatch) available for Linux and Solaris. Standard editions don't have this CVE but should still patch as a best practice. Oracle also has an advisory at oracle.com/corporate/news/oracle-alerts-customers-to-known-vulnerability-in-enterprise-edition-database-software detailing the full remediation path. Get patched β the cost of waiting is exactly what those 100 companies already paid.
Source: https://techcrunch.com/2026/06/11/oracle-warns-of-security-bug-that-hackers-abused-to-breach-100-companies/