Tenable flags RCE flaw in Oracle cloud code editor

Cybersecurity firm Tenable has uncovered a serious Remote Code Execution (RCE) vulnerability in Oracle Cloud Infrastructure (OCI) Code Editor—an integrated service within Oracle’s Cloud Shell environment. The flaw could have enabled attackers to run malicious code on Oracle servers without needing direct access, potentially compromising a wide array of connected cloud services.

The vulnerability, now patched by Oracle, stemmed from the Code Editor’s file upload functionality. According to Tenable Research, the feature failed to properly validate the origin of incoming requests. This opened the door for attackers to use a malicious website to silently trick an authenticated user’s browser into uploading harmful files to their Cloud Shell. Once the user re-opened their shell session, the malicious code would execute automatically—without their knowledge.

A One-Click Compromise with Far-Reaching Impact

Tenable warns that the exploit required minimal user interaction—just a single click on a malicious link ...