My information Resource (blog.mir.net)

This capability allows customers who want to in-place upgrade their servers to Windows Server 2025 to upgrade using the Windows Update service, and without the need for Windows Server 2025 physical media. On the Windows Server team, we aim for 100% application compatibility, and we are confident that most applications and services will continue to work well after the in-place upgrade to Windows Server 2025.

We recognize that in-place upgrade will not be used by all organizations for all of their servers – some organizations will prefer to perform a clean install, I.E., reformatting the system drive, installing Windows Server 2025, and then re-installing applications and services. Other organizations embrace in-place upgrade because it’s quick and they can avoid re-installing applications and services. Some organizations will use a combination of clean install and in-place upgrade approaches, depending on the role of each server.

To read the full blog post on Microsoft go here

NICE is pleased to announce the release of NICE Framework Components v2.2.0. The NICE Workforce Framework for Cybersecurity (NICE Framework) establishes a standard approach and common language for describing cybersecurity work and individual capabilities. NICE Framework Components include Work Role Categories, Work Roles, Competency Areas, and Task, Knowledge, and Skill (TKS) statements as well as the relationships between those elements. NICE Framework Components v.2.2.0 includes the following updates: Work Roles:  Cybersecurity Supply Chain Risk Management Work Role (new OG-WRL-017) Competency Areas: Cryptography Competency Area (NF-COM-006) DevSecOps Competency Area (NF-COM-008) ou can access the updated NICE Framework Components on the Current Versions page of the NICE Framework Resource Center. A summary of changes and version records can be found on the NICE Framework Change Logs webpage. These updates reflect the NICE Program Office’s commitment to maintaining the NICE Framework’s relevance to current cybersecurity practices through the active input of subject matter experts as well as the broader community of cybersecurity practitioners and educators. Learn more about NICE Framework revisions, how to use the NICE Framework, and how to engage in its continued development at the NICE Framework Resource Center.

In our last post in this series, we compared two credential formats that shape the digital identity ecosystem: ISO/IEC 18013-5 and -7 mobile documents (mdocs) and W3C Verifiable Credentials (VCs). Both formats define how a credential is structured and shared, but neither can function without an issuance process. 

This blog post explores what it takes to issue verifiable digital credentials, with a focus on mobile driver’s licenses (mDLs). We’ll look at how issuance works today in practice, where inconsistencies exist, and how standards bodies (FIDO, ISO and OpenID Foundation) are working to bring…

Read the Blog

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution. 

• Mozilla Firefox is a web browser used to access the Internet.
• Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.
• Mozilla Thunderbird is an email client.
• Mozilla Thunderbird ESR is a version of the email client intended to be deployed in large organizations.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild. 

SYSTEMS AFFECTED:

• Firefox versions prior to 150.0.1
• Firefox ESR versions prior to 140.10.1
• Firefox ESR versions prior to 115.35.1
• Thunderbird versions prior to 150.0.1
• Thunderbird ESR versions prior to 140.10.1

RISK:
Government:

• Large and medium government entities: High
• Small government: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home Users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows: 

Tactic: Initial Access (TA0001): 
Technique: Drive-by Compromise (T1189): 

• Information disclosure due to incorrect boundary conditions in the Audio/Video component. (CVE-2026-7320)
• Memory safety bugs fixed in Firefox ESR 115.35.1, Firefox ESR 140.10.1, Thunderbird ESR 140.10.1, Firefox 150.0.1 and Thunderbird 150.0.1. (CVE-2026-7322)
• Memory safety bugs fixed in Firefox ESR 140.10.1, Thunderbird ESR 140.10.1, Firefox 150.0.1 and Thunderbird 150.0.1. (CVE-2026-7323)
• Memory safety bugs fixed in Firefox 150.0.1 and Thunderbird 150.0.1. (CVE-2026-7324)

Additional lower severity vulnerabilities include:

• Sandbox escape due to incorrect boundary conditions in the WebRTC. (CVE-2026-7321)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate updates provided by Mozilla to vulnerable systems immediately after appropriate testing. (M1051:Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026:Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050:Exploit Protection)
  • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
• Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. (M1021:Restrict Web-Based Content)
  • Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
  • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
  • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
• Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
  • Safeguard 2.5: Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
  • Safeguard 2.6: Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
  • Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040:Behavior Prevention on Endpoint)
  • Safeguard 13.2: Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
  • Safeguard 13.7: Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017:User Training)
  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7320
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7321
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7322
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7323
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7324

Mozilla:
https://www.mozilla.org/en-US/security/advisories/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-35/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-36/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-37/

A vulnerability has been discovered in OpenSSH which could allow for authentication bypass. OpenSSH (Open Secdure Shell) is an open-source suite of secure networking utilities based on the SSH protocol. It provides encrypted communication sessions over unsecured networks in a client-server architecture, primarily used for remote login and secure file transfers. Successful exploitation of the vulnerability could provide an attacker with root access to all the servers an organization has, if the vulnerable protocol runs on them. 

THREAT INTELLIGENCE:
Cyera was able to successfully exploit this flaw using a test certificate and test server.

SYSTEMS AFFECTED:

• OpenSSH versions prior to 10.3

RISK:
Government:

• Large and medium government entities: High
• Small government entities: High

Businesses:

• Large and medium business entities: High
• Small business entities: High

Home users: Low

TECHNICAL SUMMARY:
A vulnerability has been discovered in OpenSSH which could allow for authentication bypass. Details of the vulnerability are as follows:

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

• OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. According to Cyera, because of the bug, a comma in an SSH certificate principal name leads to OpenSSH access control bypass, allowing users to authenticate as root on a vulnerable server, as long as they have a valid certificate from a trusted CA. (CVE-2026-35414)

Successful exploitation of the vulnerability could provide an attacker with root access to all the servers an organization has, if the vulnerable protocol runs on them.

RECOMMENDATIONS:

We recommend the following actions be taken:

• Apply appropriate updates provided by OpenSSH or other vendors which use this software to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
  • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
• Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
  • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
  • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft? Data Execution Prevention (DEP), Windows? Defender Exploit Guard (WDEG), or Apple? System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

Security Week:
https://www.securityweek.com/openssh-flaw-allowing-full-root-shell-access-lurked-for-15-years/
 
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35414

Multiple vulnerabilities have been discovered in Oracle products, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild. 

SYSTEMS AFFECTED:

• JD Edwards EnterpriseOne Tools, versions 9.2.0.0-9.2.26.1
• Management Cloud Engine, version 25.2.0.0.0
• MySQL Cluster, versions 8.0.0-8.0.44, 8.4.0-8.4.7, 9.0.0-9.5.0
• MySQL Connectors, versions 9.0.0-9.6.0
• MySQL Enterprise Backup, versions 8.0.0-8.0.45, 8.4.0-8.4.8, 9.0.0-9.6.0
• MySQL Server, versions 8.0.0-8.0.45, 8.4.0-8.4.8, 9.0.0-9.6.0
• MySQL Shell, versions 8.0.0-8.0.45, 8.4.0-8.4.8, 9.0.0-9.6.0
• MySQL Workbench, versions 8.0.0-8.0.46
• Oracle Access Manager, version 14.1.2.0.0
• Oracle Adapter for Eclipse RDF4J, versions 3.12.0, 21.1.8, 24.1.0
• Oracle Agile Product Lifecycle Management for Process, version 6.2.4
• Oracle Application Development Framework (ADF), versions 12.2.1.4.0, 14.1.2.0.0
• Oracle Application Express, versions 23.2.20, 23.2.21, 24.1.15, 24.1.16, 24.2.13, 24.2.15
• Oracle Application Testing Suite, version 13.3.0.1
• Oracle Autonomous Health Framework, versions 25.11-26.1
• Oracle AutoVue, version 21.1.0
• Oracle Banking Branch, versions 14.5.0.0.0-14.8.0.0.0
• Oracle Banking Cash Management, version 14.8.2.0.0
• Oracle Banking Collections and Recovery, versions 14.6.0.0.0-14.8.0.0.0
• Oracle Banking Corporate Lending, versions 14.5.0.0.0-14.8.0.0.0
• Oracle Banking Corporate Lending Process Management, versions 14.5.0.0.0-14.8.0.0.0
• Oracle Banking Credit Facilities Process Management, versions 14.5.0.0.0-14.8.0.0.0
• Oracle Banking Liquidity Management, versions 14.8.0.0.0, 14.8.1.0.0
• Oracle Banking Origination, versions 14.5.0.0.0-14.8.0.0.0
• Oracle Banking Payments, versions 14.5.0.0.0-14.8.0.0.0
• Oracle Banking Supply Chain Finance, versions 14.5.0.0.0-14.8.0.0.0
• Oracle Banking Trade Finance, versions 14.5.0.0.0-14.8.0.0.0
• Oracle Banking Trade Finance Process Management, versions 14.5.0.0.0-14.8.0.0.0
• Oracle Banking Virtual Account Management, versions 14.5.0.0.0-14.8.0.0.0
• Oracle BI Publisher, versions 7.6.0.0.0, 8.2.0.0.0
• Oracle Blockchain Platform, version 24.1.3
• Oracle Business Activity Monitoring, version 12.2.1.4.0
• Oracle Business Intelligence Enterprise Edition, versions 7.6.0.0.0, 8.2.0.0.0
• Oracle Business Process Management Suite, versions 12.2.1.4.0, 14.1.2.0.0
• Oracle Commerce Guided Search, version 11.4.0
• Oracle Communications Billing and Revenue Management, versions 15.0.0.0.0-15.0.1.0.0, 15.1.0.0.0-15.2.0.0.0
• Oracle Communications BRM – Elastic Charging Engine, versions 15.0.0.0-15.0.1.0, 15.1.0.0-15.2.0.0
• Oracle Communications Cloud Native Core Binding Support Function, version 25.1.200
• Oracle Communications Cloud Native Core Certificate Management, version 25.1.201
• Oracle Communications Cloud Native Core Console, version 25.1.201
• Oracle Communications Cloud Native Core DBTier, versions 25.1.200, 25.2.100
• Oracle Communications Cloud Native Core Network Exposure Function, versions 24.2.1, 24.2.4
• Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 25.1.200, 25.2.200
• Oracle Communications Cloud Native Core Network Repository Function, version 25.1.204
• Oracle Communications Cloud Native Core Network Slice Selection Function, versions 25.1.100, 25.1.200
• Oracle Communications Cloud Native Core Policy, versions 25.1.200, 25.1.201, 25.1.202
• Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 25.1.200, 25.1.201, 25.2.100
• Oracle Communications Cloud Native Core Service Communication Proxy, versions 25.1.100, 25.1.200, 25.1.202, 25.2.100
• Oracle Communications Cloud Native Core Unified Data Repository, versions 25.1.100, 25.1.200
• Oracle Communications Convergence, version 3.0.3.4.0
• Oracle Communications EAGLE, version 47.0
• Oracle Communications EAGLE Application Processor, versions 17.0-17.1
• Oracle Communications EAGLE Element Management System, version 47.0.0.1.0
• Oracle Communications EAGLE LNP Application Processor, version 11.0
• Oracle Communications Element Manager, versions 9.0.0-9.0.4
• Oracle Communications Instant Messaging Server, version 10.0.1.8.0
• Oracle Communications LSMS, version 14.0
• Oracle Communications Messaging Server, version 8.1.0.0.0
• Oracle Communications Network Integrity, versions 7.3.6, 7.4.0, 7.5.0, 8.0.0
• Oracle Communications Offline Mediation Controller, versions 15.0.0.0.0-15.0.1.0.0, 15.1.0.0.0-15.2.0.0.0
• Oracle Communications Operations Monitor, versions 5.2, 6.0, 6.1
• Oracle Communications Order and Service Management, versions 7.5.0, 8.0.0
• Oracle Communications Performance Intelligence Center, versions 10.5.0.0-10.5.0.2
• Oracle Communications Policy Management, versions 15.0.0.0.0, 15.0.0.1.0
• Oracle Communications Service Catalog and Design, versions 8.0.0.6.0, 8.1.0.5.0, 8.2.0.2.0
• Oracle Communications Session Border Controller, versions 9.3.0, 10.0.0, 10.1.0
• Oracle Communications Session Report Manager, versions 9.0.0-9.0.4
• Oracle Communications Unified Assurance, versions 6.1.1-7.0.0
• Oracle Communications Unified Inventory Management, versions 7.5.0-7.5.1, 7.6.0-7.8.0, 8.0.0
• Oracle Configuration Manager, versions 13.5, 24.1
• Oracle Data Integrator, versions 12.2.1.4.0, 14.1.2.0.0
• Oracle Database Server, versions 12.1.0.2.0, 12.2.0.1.0, 19.3-19.30, 21.3-21.21, 23.4.0-23.26.1
• Oracle Documaker, versions 12.7.2-13.0.2
• Oracle E-Business Suite, versions 12.2.3-12.2.15, 15.0
• Oracle Enterprise Communications Broker, versions 4.2.0, 5.0.0
• Oracle Enterprise Manager Base Platform, versions 13.5, 24.1
• Oracle Enterprise Manager for Fusion Middleware, versions 13.5, 24.1
• Oracle Enterprise Operations Monitor, version 6.1.0.0.0
• Oracle Essbase, version 21.8.1.0.0
• Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7.9, 8.0.8.7, 8.1.2.5
• Oracle Financial Services Behavior Detection Platform, versions 8.0.8.1, 8.1.2.10, 8.1.2.11
• Oracle Financial Services Compliance Studio, version 8.1.2.9
• Oracle Financial Services Customer Screening, version 8.1.2.8.0
• Oracle Financial Services Enterprise Case Management, versions 8.0.8.2, 8.1.2.10, 8.1.2.11
• Oracle Financial Services Lending and Leasing, versions 14.8.0.0.0, 14.10.0.0.0-14.12.0.0.0
• Oracle Financial Services Model Management and Governance, version 8.1.2.7
• Oracle Financial Services Regulatory Reporting, versions 8.1.2.10, 8.1.2.11
• Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, version 8.0.8
• Oracle Financial Services Transaction Filtering, version 8.1.2.8.0
• Oracle FLEXCUBE Enterprise Limits and Collateral Management, versions 14.5.0.0.0-14.8.0.0.0
• Oracle Fusion Middleware, versions 12.2.1.4.0, 14.1.2.0.0
• Oracle Global Lifecycle Management OPatchAuto, versions 12.2.0.1.16-12.2.0.1.49
• Oracle GoldenGate, versions 23.4-23.26.1
• Oracle GoldenGate Big Data and Application Adapters, versions 19.1.0.0.0-19.1.0.0.21, 21.3-21.21, 23.4-23.10
• Oracle GoldenGate Stream Analytics, versions 19.1.0.0.0-19.1.0.0.14
• Oracle GraalVM Enterprise Edition, version 21.3.17
• Oracle GraalVM for JDK, versions 17.0.18, 21.0.10
• Oracle Graph Server and Client, versions 24.4.5, 25.4.1, 26.1.0
• Oracle Hospitality Cruise Shipboard Property Management (SPMS), versions 23.1.5-23.3.0
• Oracle HTTP Server, versions 12.2.1.4.0, 14.1.2.0.0
• Oracle Hyperion Infrastructure Technology, version 11.2.24.0.0
• Oracle Identity Manager, versions 12.2.1.4.0, 14.1.2.0.0, 14.1.2.1.0
• Oracle Identity Manager Connector, version 12.2.1.4.0
• Oracle Insurance Policy Administration J2EE, versions 11.3.1.0, 11.3.2.0, 12.0.5.0, 12.1.1.0
• Oracle Insurance Policy Administration Operational Data Store for Life and Annuity, version 1.0.2.1
• Oracle Java SE, versions 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.1, 25.0.2, 26
• Oracle Life Sciences Empirica Signal, versions 9.2.1-9.2.3
• Oracle Life Sciences InForm, versions 7.0.1.0, 7.0.1.1
• Oracle Managed File Transfer, versions 12.2.1.4.0, 14.1.2.0.0
• Oracle Middleware Common Libraries and Tools, versions 12.2.1.4.0, 14.1.2.0.0
• Oracle NoSQL Database, versions 1.6.5, 1.7.0
• Oracle Outside In Technology, version 8.5.8
• Oracle Product Lifecycle Analytics, version 3.6.1
• Oracle REST Data Services, versions 24.2.0, 24.2.1, 24.3.0, 24.3.1, 24.4.0, 25.1.1, 25.2.0, 25.2.1, 25.2.2, 25.2.3, 25.3.0, 25.3.1, 25.4.0
• Oracle Retail Assortment Planning, versions 15.0, 16.0
• Oracle Retail Bulk Data Integration, versions 16.0.3, 19.0.1
• Oracle Retail EFTLink, versions 21.0.0-25.0.0
• Oracle Retail Extract Tranform and Load, version 13.0.5
• Oracle Retail Financial Integration, versions 16.0.3, 19.0.1
• Oracle Retail Fiscal Management, version 14.2
• Oracle Retail Integration Bus, versions 16.0.3, 19.0.1
• Oracle Retail Merchandise Financial Planning, versions 15.0, 16.0
• Oracle Retail Merchandising System, versions 16.0.3, 19.0.1
• Oracle Retail Predictive Application Server, version 16.0.3
• Oracle Retail Price Management, version 16.0.3
• Oracle Retail Service Backbone, versions 16.0.3, 19.0.1
• Oracle Retail Warehouse Management System, version 16.0
• Oracle Retail Xstore Point of Service, versions 21.0.5, 22.0.3
• Oracle Security Service, versions 12.1.3.0.0, 12.2.1.4.0
• Oracle SOA Suite, versions 12.2.1.4.0, 14.1.2.0.0
• Oracle Solaris, version 11.4
• Oracle TimesTen In-Memory Database, versions 18.1.4, 22.1.1
• Oracle Tuxedo, versions 22.1.0, 22.1.1
• Oracle Utilities Application Framework, versions 4.3.0.5.0-4.3.0.6.0, 4.4.0.0.0-4.4.0.4.0, 4.5.0.0.0-4.5.0.2.0, 25.4, 25.10, 26.4
• Oracle Utilities Live Energy Connect, versions 7.1.0.0.45, 25.12.0.0.0
• Oracle Utilities Network Management System, versions 2.4.0.1.31, 2.5.0.1.16, 2.5.0.2.10, 2.6.0.1.10, 2.6.0.2.5, 2.6.0.2.6
• Oracle Utilities Testing Accelerator, versions 7.0.0.0.7, 7.0.0.1.5, 25.4.0.0.2
• Oracle VM VirtualBox, version 7.2.6
• Oracle Web Services Manager, versions 12.2.1.4.0, 14.1.2.0.0
• Oracle WebCenter Forms Recognition, version 14.1.1.0.0
• Oracle WebCenter Sites, versions 12.2.1.4.0, 14.1.2.0.0
• Oracle WebLogic Server, versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, 15.1.1.0.0
• PeopleSoft Enterprise CC Common Application Objects, version 9.2
• PeopleSoft Enterprise CS Student Records, version 9.2
• PeopleSoft Enterprise FIN Contracts, version 9.2
• PeopleSoft Enterprise FIN Maintenance Management, version 9.2
• PeopleSoft Enterprise FIN Project Costing, version 9.2
• PeopleSoft Enterprise HCM Absence Management, version 9.2
• PeopleSoft Enterprise HCM Human Resources, version 9.2
• PeopleSoft Enterprise HCM Shared Components, version 9.2
• PeopleSoft Enterprise PeopleTools, versions 8.61-8.62
• PeopleSoft Enterprise SCM Purchasing, version 9.2
• Primavera P6 Enterprise Project Portfolio Management, versions 21.12.0.0-21.12.21.6, 22.12.0.0-22.12.21.1, 23.12.0.0-23.12.18.0, 24.12.0.0-24.12.13.0, 25.12.0.0-25.12.2.0
• Primavera Unifier, versions 21.12.0-21.12.17, 22.12.0-22.12.15, 23.12.0-23.12.16, 24.12.0-24.12.13, 25.12.0-25.12.3
• Siebel Applications, versions 17.0-26.2
• Sun ZFS Storage Appliance Kit, version 8.8

RISK:
Government:

• Large and medium government entities: High
• Small government: High

Businesses:

• Large and medium business entities: High
• Small business entities: High

Home Users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Oracle products, the most severe of which could allow for remote code execution.

A full list of all vulnerabilities can be found in the Oracle link in the References section.

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate updates provided by Oracle to vulnerable systems immediately after appropriate testing. (M1051:Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
  • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026:Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
  • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050:Exploit Protection)
  • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
• Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
  • Safeguard 2.5: Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
  • Safeguard 2.6: Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
  • Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040:Behavior Prevention on Endpoint)
  • Safeguard 13.2: Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
  • Safeguard 13.7: Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017:User Training)
  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

Oracle:
https://www.oracle.com/security-alerts/cpuapr2026.html

The National Institute of Standards and Technology (NIST), within the U.S. Department of Commerce, invites stakeholders to participate in an upcoming workshop on AI Incident Management.

As AI systems become increasingly integral to critical infrastructure, cybersecurity, and national security, a new class of incidents is emerging where AI systems are both targets and sources of risk. Addressing these challenges may require new methods and coordinated action across government, industry, and academia.

Building on the collaborative model of efforts, this workshop will convene leaders from across the AI and cybersecurity stakeholder communities to initiate a shared dialogue on scalable, mission-aligned approaches to AI incident response. 

The workshop will:

• Present a high-level NIST roadmap to advance AI incident response standards and practices
• Engage stakeholders to understand current approaches, including existing playbooks and frameworks
• Explore definitions, lifecycles, and taxonomy of AI-related incidents
• Identify gaps in today’s cybersecurity and AI risk management guidance
• Highlight emerging AI incident types beyond cybersecurity, including misuse scenarios

This engagement will inform future Information Technology Laboratory (ITL) and Center for AI Standards and Innovation (CAISI)* efforts to implement America’s AI Action Plan, including updates to existing guidelines and the development of new recommendations.

NIST invites stakeholders to contribute their expertise and help shape a coordinated, forward-looking approach to AI incident management. Outcomes from this workshop will inform future guidelines, strengthen ecosystem readiness, and support national and global alignment.

Audience: AI developers, service providers, incident responders, critical infrastructure partners, academics, cybersecurity professionals, and government stakeholders.

*For more information about NIST’s efforts in AI, please visit the Information Technology Laboratory AI site (https://www.nist.gov/artificial-intelligence/nist-information-technology-laboratory-itl-ai-program) and the Center for Artificial Intelligence Standards and Innovation site (https://www.nist.gov/caisi).

Register Now

The Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom National Cyber Security Centre (NCSC-UK) released a Malware Analysis Report (MAR) on FIRESTARTER, a persistent backdoor malware specifically targeting publicly accessible Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense software. This release coincides with the updated Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices, which outlines required actions for US Federal Civilian Executive Branch agencies. All other US organizations are urged to review the MAR, take necessary actions, and report any findings to CISA.

FIRESTARTER enables remote access and control by advanced persistent threat (APT) actors and can survive firmware patching and device reboots. Initial access to Cisco ASA firmware was gained by exploiting CVE-2025-20333 [CWE-862: Missing Authorization] and/or CVE-2025-20362 [CWE-120: Classic Buffer Overflow]. The malware can persist and maintain post-patching persistence, enabling APT actors to re-access compromised devices without re-exploiting vulnerabilities.

Refer to the below resources for additional details:

Malware Analysis Report: FIRESTARTER Backdoor Emergency Directive (ED) 25-03 V1 Update: Identify and Mitigate Potential Compromise of Cisco Devices Supplemental Direction ED 25-03: Core Dump and Hunt Instructions Cisco Talos Blog: FIRESTARTER Cisco Security Advisory

The Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre, in collaboration with other federal and international partners, released this Joint Cybersecurity Advisory to provide network defenders with vital tools and resources to combat the threat posed by Chinese government-linked threat actors’ use of covert networks of compromised devices.

The advisory outlines tactics, techniques, and procedures associated with Chinese government-linked covert networks built from compromised small-office-home-office routers, Internet of Things, and smart devices. It explains how threat actors leveraging these covert networks, including those previously tied to groups such as Volt Typhoon and Flax Typhoon, use large scale botnet infrastructure to obscure attribution and enable reconnaissance, intrusion, command-and-control, and data exfiltration.

The advisory provides tailored defensive guidance for cyber defenders to identify, baseline, and mitigate activity originating from dynamic, deniable covert networks to reduce the risk of organizational compromise.

CISA and partners recommend the following steps to protect against this threat:

Map and understand network edge devices, developing a clear understanding of organizational assets and what should be connected to them.  Baseline normal connections, especially to corporate VPNs or other similar devices. Maintain log collection and storage solutions to assist with detecting and responding to unauthorized access attempts.  Implement multi-factor authentication for remote connections.

For more information on Chinese government-linked threat actor activity, please visit CISA’s China Threat Overview and Advisories page. CISA also provides helpful resources on the Edge Device Security webpage.

The conversation on the future of national cybersecurity is happening next Thursday. Join Red Hat, NIST, and the Office of Space Commerce for an immersive day of strategy and dialogue.

• When: April 30, 2026 | 8:00 am to 4:30 pm ET
• Where: Commerce Research Library, 1401 Constitution Ave. NW, Washington, DC 20230
• Why: Hear from leaders and industry that are most shaped by this advancement and how the nation is designing approaches to safeguard against current and emerging threats. 

Register Here