Just behind ZDLRA in patch volume are Oracle Enterprise Manager, with 51 patches, 47 of which can be remotely exploited without authentication, and Oracle E-Business Suite, with 38 patches, 33 of which are remotely exploitable.
Despite Oracle’s comprehensive patching cycle, the company’s approach to security has not always been effective. In 2025, a threat actor claimed to have stolen six million records from a vulnerable Oracle server, a claim the company repeatedly denied.
Security company CloudSEK later identified the vulnerability that led to the alleged hack as being CVE-2021-35587, an old issue that should have been patched. Presumably coincidentally, in August it was announced that long-serving chief security officer Mary Ann Davidson was leaving the company.
