Oracle left what researchers called a "mega 0-day" unpatched for six months after it was reported to the enterprise software vendor, leaving multiple large corporations open to potential exploitation.