The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to secure their systems by Saturday against ongoing attacks exploiting a critical vulnerability in the Oracle E-Business Suite (EBS) financial application. The directive to repeat states that as mandated by Binding Operational Directive (BOD) 26-04, this needs to be patched by tomorrow. AKA Saturday.
Ted Miracco, Approov (https://www.linkedin.com/in/tedmiracco)
“Organizations continue to struggle to patch critical vulnerabilities quickly because enterprise resource planning (ERP) platforms like Oracle and SAP are highly customized and deeply interwoven with other business applications. Patching them isn’t like updating a web browser; a single database update can break custom API integrations, halting payroll, shipping, or manufacturing.
“The window for ‘safe testing’ no longer exists for edge-facing systems. In the past, organizations had 30 to 90 days to test and deploy patches before exploits were widely weaponized. Today, threat actors reverse-engineer patches and deploy exploits within days or even hours.
“To better prioritize and respond to these types of threats, security teams must implement strict Web Application Firewall (WAF) rules, sever internet exposure, or place vulnerable assets behind a Zero Trust Network Access (ZTNA) gateway until patches can be safely tested. When patches can be deployed to a staging environment, tested automatically, and instantly rolled back if they fail, emergency deployments become a low-risk routine rather than a weekend crisis.”
Damon Small, Board Member, Xcape, Inc. (https://www.linkedin.com/in/damon-small-7400501)
“Deploying a patch on a single computer may seem like a trivial task, but doing it across an enterprise that may have hundreds, or even thousands, of servers is daunting. That said, we have seen incidents where a patched vulnerability is exploited months after it was resolved. As an industry, we must strike a balance between operational readiness and patching fatigue.
The first open source vulnerability scanner was released in 1995. Since then, vulnerability management has remained the least sexy, yet the most important, directive in cyber security. Frankly, as an industry, we struggle to update software quickly, and this fact will become more problematic as the time between vulnerabilities being discovered and them being actively exploited continues to shrink.
Security leaders should first and foremost ensure that their organizations have accurate software and hardware inventories. You cannot defend what you can’t see. Additionally, as ‘silent’ or no-reboot patching becomes an industry standard, automatic updates may follow.”
Donald McFarlane, Advisory Board Member, Xcape, Inc. (https://www.linkedin.com/in/dmcfarlane)
“Organizations rarely fail to patch because they lack another alert: they struggle when they lack reliable asset inventories, clear ownership, tested maintenance paths, or the authority to interrupt business-critical systems and processes. In today’s machine-scale, machine-speed adversarial environment, IT organizations must deploy critical security patches far more quickly. When immediate patching is not possible, leaders must prioritize vulnerabilities based on active exploitation, internet exposure, mission impact and potential blast radius, not severity scores alone. They should know in advance who owns each critical system, how it can be isolated, and how emergency changes can be made safely.
“Patching is not the finish line: organizations must determine whether an adversary arrived before the fix was applied. Find material exposure before an adversary does, fix it, and prove the risk actually went down.”
Kevin Surace, CEO, Token (https://www.linkedin.com/in/ksurace)
“Patching is rarely as simple as installing an update. Critical enterprise applications are often deeply connected to financial systems, databases, customized workflows, and third-party software, so teams fear that an untested patch could interrupt essential operations.
“The deeper problem is that many organizations do not have an accurate, continuously updated inventory of their systems. They may not know which servers are exposed to the internet, which versions are running, who owns them, or whether a patch was successfully applied.
“In this case, Oracle released the patch in May, exploitation was observed by late June, and more than 1,000 Oracle E Business Suite systems were still exposed to the internet in July. That is not primarily a technology failure. It is a failure of ownership, visibility, testing capacity, and executive accountability.
“Urgent federal patching orders and extremely short remediation deadlines are becoming more visible, but this particular action was not technically a standalone Emergency Directive. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog under Binding Operational Directive 26 04 and required remediation within three days.
“The significance is the deadline. CISA is effectively telling agencies that once exploitation is confirmed, the traditional patching cycle is no longer acceptable. Attackers are weaponizing vulnerabilities faster, while many organizations are still operating through monthly maintenance windows, lengthy approval processes, and manual asset reviews.
“These directives also reveal an uncomfortable truth: too many organizations still need an external government deadline to force action on vulnerabilities that vendors have already patched.
“Security leaders should prioritize vulnerabilities based on actual exploitation, internet exposure, business importance, and the potential impact of compromise, not simply on the severity score. A vulnerability that is being actively exploited against an exposed financial system should move immediately ahead of a higher scoring flaw on an isolated test machine.
“Every critical system needs a named business owner, a technical owner, a tested emergency patching procedure, and a clearly defined authority capable of accepting the operational risk of patching or the security risk of delaying it. When exploitation is confirmed, teams should be able to patch, isolate, restrict network access, or temporarily remove a system from service without waiting through days of meetings.
“Organizations should also assume that patching may come too late. Organizations must review logs for evidence of earlier exploitation, rotate potentially exposed credentials, inspect connected systems, and protect privileged access with hardware based biometric assured identity.
“Biometric assured identity would not prevent an unauthenticated Oracle software exploit such as this one. It can, however, stop attackers from turning stolen administrator credentials into broader access after the initial compromise. Patching closes the software vulnerability. Biometric assured identity helps contain what attackers can do next.”
Steven Swift, Managing Director, Suzu Labs (https://www.linkedin.com/in/steven-swift-5238956a)
“Patching is a big thankless task, and it rarely gets the resourcing it would require to actually patch all the things quickly. In order to have any chance at keeping up with patching, organizations need to implement solutions to automate both patching and vulnerability scanning.
“A lot of organizations are hesitant to patch immediately, because there have been enough issues with bad patches being released over the years, that the risk of patching slowly is preferred over the risk of patching fast and breaking things.
“Patching automation is great for those systems which are consistently deployed across the organization. However, the applications that are only on a few systems are those least likely to have automated patching. This would be fine, except for that there tends to be a lot of applications that fall into this category. Practically, that means staff can patch the vast majority of things consistently and in a timely manner, and still always have a long tail of vulnerabilities that are more challenging to fix.
“This is compounded when ownership is split between different teams. Especially so when organizational priorities are split. If teams are under pressure to hit tight deadlines, the last thing they want to do is spend time fixing/patching things that don’t directly assist in that goal. This results in a lot of vulnerability management teams spending much of their time providing reports on what needs patching, to teams that will get to it when they get to it.
“As for what leadership can do to better prioritize and respond to new vulnerabilities? A big part of is keeping metrics so that the work being done isn’t invisible anymore. If the team is consistently patching 90% of all published CVEs in a timely manner, and yet all that leadership sees are reports showing the remaining 10%, it can look like the team just isn’t doing much patching when the opposite is true.
“Track stale vulnerabilities in the organization, and prioritize those. Stale can be older than 30, 90, or 365 days for example. Depending on how mature existing processes are. Once all of the stale vulnerabilities are remediated, build automation to handle as much repeatable work as is possible. Provide developers with vulnerability feedback as early in the process as you can, as it costs much less time and money to fix code early on, than it does after release.”
While it is beyond time to patch all the things, organizations need rethink how they go about keeping their environments safe. Because patching is clearly not enough.
What the Oracle vulnerability says about today’s patching problem
Posted in Commentary with tags CISA, Oracle on July 17, 2026 by itnerdThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to secure their systems by Saturday against ongoing attacks exploiting a critical vulnerability in the Oracle E-Business Suite (EBS) financial application. The directive to repeat states that as mandated by Binding Operational Directive (BOD) 26-04, this needs to be patched by tomorrow. AKA Saturday.
Ted Miracco, Approov (https://www.linkedin.com/in/tedmiracco)
“Organizations continue to struggle to patch critical vulnerabilities quickly because enterprise resource planning (ERP) platforms like Oracle and SAP are highly customized and deeply interwoven with other business applications. Patching them isn’t like updating a web browser; a single database update can break custom API integrations, halting payroll, shipping, or manufacturing.
“The window for ‘safe testing’ no longer exists for edge-facing systems. In the past, organizations had 30 to 90 days to test and deploy patches before exploits were widely weaponized. Today, threat actors reverse-engineer patches and deploy exploits within days or even hours.
“To better prioritize and respond to these types of threats, security teams must implement strict Web Application Firewall (WAF) rules, sever internet exposure, or place vulnerable assets behind a Zero Trust Network Access (ZTNA) gateway until patches can be safely tested. When patches can be deployed to a staging environment, tested automatically, and instantly rolled back if they fail, emergency deployments become a low-risk routine rather than a weekend crisis.”
Damon Small, Board Member, Xcape, Inc. (https://www.linkedin.com/in/damon-small-7400501)
“Deploying a patch on a single computer may seem like a trivial task, but doing it across an enterprise that may have hundreds, or even thousands, of servers is daunting. That said, we have seen incidents where a patched vulnerability is exploited months after it was resolved. As an industry, we must strike a balance between operational readiness and patching fatigue.
The first open source vulnerability scanner was released in 1995. Since then, vulnerability management has remained the least sexy, yet the most important, directive in cyber security. Frankly, as an industry, we struggle to update software quickly, and this fact will become more problematic as the time between vulnerabilities being discovered and them being actively exploited continues to shrink.
Security leaders should first and foremost ensure that their organizations have accurate software and hardware inventories. You cannot defend what you can’t see. Additionally, as ‘silent’ or no-reboot patching becomes an industry standard, automatic updates may follow.”
Donald McFarlane, Advisory Board Member, Xcape, Inc. (https://www.linkedin.com/in/dmcfarlane)
“Organizations rarely fail to patch because they lack another alert: they struggle when they lack reliable asset inventories, clear ownership, tested maintenance paths, or the authority to interrupt business-critical systems and processes. In today’s machine-scale, machine-speed adversarial environment, IT organizations must deploy critical security patches far more quickly. When immediate patching is not possible, leaders must prioritize vulnerabilities based on active exploitation, internet exposure, mission impact and potential blast radius, not severity scores alone. They should know in advance who owns each critical system, how it can be isolated, and how emergency changes can be made safely.
“Patching is not the finish line: organizations must determine whether an adversary arrived before the fix was applied. Find material exposure before an adversary does, fix it, and prove the risk actually went down.”
Kevin Surace, CEO, Token (https://www.linkedin.com/in/ksurace)
“Patching is rarely as simple as installing an update. Critical enterprise applications are often deeply connected to financial systems, databases, customized workflows, and third-party software, so teams fear that an untested patch could interrupt essential operations.
“The deeper problem is that many organizations do not have an accurate, continuously updated inventory of their systems. They may not know which servers are exposed to the internet, which versions are running, who owns them, or whether a patch was successfully applied.
“In this case, Oracle released the patch in May, exploitation was observed by late June, and more than 1,000 Oracle E Business Suite systems were still exposed to the internet in July. That is not primarily a technology failure. It is a failure of ownership, visibility, testing capacity, and executive accountability.
“Urgent federal patching orders and extremely short remediation deadlines are becoming more visible, but this particular action was not technically a standalone Emergency Directive. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog under Binding Operational Directive 26 04 and required remediation within three days.
“The significance is the deadline. CISA is effectively telling agencies that once exploitation is confirmed, the traditional patching cycle is no longer acceptable. Attackers are weaponizing vulnerabilities faster, while many organizations are still operating through monthly maintenance windows, lengthy approval processes, and manual asset reviews.
“These directives also reveal an uncomfortable truth: too many organizations still need an external government deadline to force action on vulnerabilities that vendors have already patched.
“Security leaders should prioritize vulnerabilities based on actual exploitation, internet exposure, business importance, and the potential impact of compromise, not simply on the severity score. A vulnerability that is being actively exploited against an exposed financial system should move immediately ahead of a higher scoring flaw on an isolated test machine.
“Every critical system needs a named business owner, a technical owner, a tested emergency patching procedure, and a clearly defined authority capable of accepting the operational risk of patching or the security risk of delaying it. When exploitation is confirmed, teams should be able to patch, isolate, restrict network access, or temporarily remove a system from service without waiting through days of meetings.
“Organizations should also assume that patching may come too late. Organizations must review logs for evidence of earlier exploitation, rotate potentially exposed credentials, inspect connected systems, and protect privileged access with hardware based biometric assured identity.
“Biometric assured identity would not prevent an unauthenticated Oracle software exploit such as this one. It can, however, stop attackers from turning stolen administrator credentials into broader access after the initial compromise. Patching closes the software vulnerability. Biometric assured identity helps contain what attackers can do next.”
Steven Swift, Managing Director, Suzu Labs (https://www.linkedin.com/in/steven-swift-5238956a)
“Patching is a big thankless task, and it rarely gets the resourcing it would require to actually patch all the things quickly. In order to have any chance at keeping up with patching, organizations need to implement solutions to automate both patching and vulnerability scanning.
“A lot of organizations are hesitant to patch immediately, because there have been enough issues with bad patches being released over the years, that the risk of patching slowly is preferred over the risk of patching fast and breaking things.
“Patching automation is great for those systems which are consistently deployed across the organization. However, the applications that are only on a few systems are those least likely to have automated patching. This would be fine, except for that there tends to be a lot of applications that fall into this category. Practically, that means staff can patch the vast majority of things consistently and in a timely manner, and still always have a long tail of vulnerabilities that are more challenging to fix.
“This is compounded when ownership is split between different teams. Especially so when organizational priorities are split. If teams are under pressure to hit tight deadlines, the last thing they want to do is spend time fixing/patching things that don’t directly assist in that goal. This results in a lot of vulnerability management teams spending much of their time providing reports on what needs patching, to teams that will get to it when they get to it.
“As for what leadership can do to better prioritize and respond to new vulnerabilities? A big part of is keeping metrics so that the work being done isn’t invisible anymore. If the team is consistently patching 90% of all published CVEs in a timely manner, and yet all that leadership sees are reports showing the remaining 10%, it can look like the team just isn’t doing much patching when the opposite is true.
“Track stale vulnerabilities in the organization, and prioritize those. Stale can be older than 30, 90, or 365 days for example. Depending on how mature existing processes are. Once all of the stale vulnerabilities are remediated, build automation to handle as much repeatable work as is possible. Provide developers with vulnerability feedback as early in the process as you can, as it costs much less time and money to fix code early on, than it does after release.”
While it is beyond time to patch all the things, organizations need rethink how they go about keeping their environments safe. Because patching is clearly not enough.
Leave a comment »