Cybersecurity firm Tenable has uncovered a serious Remote Code Execution (RCE) vulnerability in Oracle Cloud Infrastructure (OCI) Code Editor—an integrated service within Oracle’s Cloud Shell environment. The flaw could have enabled attackers to run malicious code on Oracle servers without needing direct access, potentially compromising a wide array of connected cloud services.
The vulnerability, now patched by Oracle, stemmed from the Code Editor’s file upload functionality. According to Tenable Research, the feature failed to properly validate the origin of incoming requests. This opened the door for attackers to use a malicious website to silently trick an authenticated user’s browser into uploading harmful files to their Cloud Shell. Once the user re-opened their shell session, the malicious code would execute automatically—without their knowledge.
A One-Click Compromise with Far-Reaching Impact
Tenable warns that the exploit required minimal user interaction—just a single click on a malicious link—making it especially dangerous. Once inside the Cloud Shell, attackers could run arbitrary commands, steal credentials, and gain access to other OCI services such as Resource Manager, Functions, and Data Science. In environments with elevated privileges, the impact could extend to full system compromise, data theft, and long-term persistence.
A Jenga®-Like Weakness in the Cloud Stack
Tenable researchers liken the issue to what they call the Jenga® Concept: the idea that modern cloud infrastructure is built in interlocking layers, where weaknesses in one service can cascade into others.
“Similar to the game of Jenga®, extracting one block can compromise the integrity of the whole structure,” said Liv Matan, Senior Security Researcher at Tenable. “Cloud services—particularly those deeply integrated and sharing environments—can amplify vulnerabilities across layers. Our findings in OCI reinforce the need for cloud providers and users alike to closely examine these complex, interconnected systems.”
Oracle Responds Swiftly
Oracle has since addressed the vulnerability and confirmed that no further action is required from customers. However, Tenable’s findings serve as a wake-up call for organizations relying heavily on cloud-native development environments.
With attackers increasingly targeting developer tools and CI/CD pipelines, the incident highlights the importance of security validation even in seemingly isolated cloud services.
thank you