VYPR
Vypr IntelligenceAI-generatedJun 12, 2026· 1 CVE

Oracle CVE-2026-35273 Added to CISA KEV Under Active Ransomware Exploitation

Oracle Corporation has one vulnerability, CVE-2026-35273, confirmed actively exploited in the wild and tied to ransomware campaigns, per CISA's June 12 KEV update.

Key findings

  • CISA added Oracle CVE-2026-35273 to its KEV catalog on June 12, 2026, confirming active in-the-wild exploitation.
  • The vulnerability is flagged for use in ransomware campaigns, signaling its role in real-world extortion operations.
  • Federal agencies face a BOD 22-01 remediation deadline of July 3, 2026 — 21 days from the KEV listing.
  • All organizations running Oracle products should patch immediately and audit for signs of compromise.

The U.S. Cybersecurity and Infrastructure Security Agency added a single Oracle Corporation vulnerability to its Known Exploited Vulnerabilities catalog on June 12, 2026, confirming that the flaw is being actively exploited in the wild. The entry, tracked as CVE-2026-35273, carries an additional flag marking its use in ransomware campaigns — a designation CISA reserves for vulnerabilities that have been weaponized by ransomware operators to gain initial access, escalate privileges, or move laterally within victim environments.

The addition triggers Binding Operational Directive 22-01, which mandates that all federal civilian executive branch agencies remediate the vulnerability within 21 days — setting a compliance deadline of July 3, 2026. While the directive applies directly to U.S. government networks, CISA strongly urges private-sector organizations and critical infrastructure operators to treat KEV-listed flaws with the same urgency, given the confirmed real-world exploitation activity.

CVE-2026-35273 is the sole Oracle entry in this KEV batch. The ransomware association is particularly significant: flaws exploited in ransomware kill chains often serve as the initial foothold for extortion operations that can paralyze organizations within hours. Security teams running Oracle products — whether on-premises database servers, cloud infrastructure, or enterprise applications — should immediately consult Oracle's security advisory for the relevant patch and apply it without delay.

Beyond patching, defenders should review logs for indicators of compromise tied to this CVE, validate that internet-facing Oracle services are not unnecessarily exposed, and ensure that detection rules are updated to flag exploitation attempts. For organizations unable to patch immediately, CISA recommends applying vendor-provided mitigations or temporarily isolating affected systems until remediation can be completed.

The addition underscores a persistent reality: enterprise software from major vendors remains a prime target for financially motivated threat actors, and a single unpatched vulnerability can be the difference between normal operations and a full-scale ransomware incident.

AI-written article. Grounded in 1 CVE record listed below.