Emergency Microsoft, Oracle patches point to wider cyber issues

Emergency out-of-band fixes issued by enterprise IT giants Microsoft and Oracle have shone a spotlight on issues around both update cycles and patching, and identity security and zero-trust.

Microsoft’s emergency update, KB5085516, addresses an issue that arose after installing the mandatory cumulative updates pushed live on Patch Tuesday earlier this month.

According to Microsoft, it has since emerged that many users experienced problems signing into applications with a Microsoft account, seeing a “no internet” error message even though the device had a working connection. This had the effect of preventing access to multiple services and applications. It should be noted that organisations using Entra ID did not experience the issue.

But Microsoft’s emergency patch comes just days after it doubled down on a commitment to software quality, reliability and stability. In a blog post published just 24 hours prior to the latest update, Pavan Davuluri of Microsoft’s Windows Insider Program Team said updates should be “predictable and easy to plan around”.

“Microsoft had [a] week,” said Michael Bell, founder and CEO of Suzu Labs. “Their Windows exec published a blog promising improved reliability and quality on 20 March, and by 21 March, they were shipping an emergency out-of-band fix for a sign-in bug that their own March security update introduced.

“That’s on top of separate hotpatches for RRAS remote code execution flaws and a Bluetooth visibility bug. Three emergency fixes in eight days does not shout reliability era.”

Oracle’s patch, meanwhile, addresses CVE-2026-21992, a remote code execution flaw in the REST:WebServices component of Oracle Identity Manager and the Web Services Security component of Oracle Web Services Manager in Oracle Fusion Middleware. It carries a CVSS score of 9.8 and can be exploited by an unauthenticated attacker with network access over HTTP.

There appear to be no reports of active exploitation at the time of writing, but previous high-profile flaws in Oracle have been swiftly attacked – last year, a similar RCE issue in E-Business Suite drew the attention of the prolific Cl0p ransomware crew.

Bell noted that another, possibly related pre-authentication RCE issue in Oracle Identity Manager – CVE-2025-61757 – was added to the Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities list in short order given how trivial and easy-to-exploit it proved to be. He said the latest bug may well follow the same path.

“The reason this matters more than a typical 9.8 is the target,” said Bell. “Code execution on an identity management platform means the attacker can rewrite the access policies that control the rest of the enterprise, and that turns a single CVE into persistent access across an entire network.”