Oracle did not immediately respond to a request for comment regarding its patching plans for this vulnerability.
This is the third time this year attackers have used zero-day Java exploits. The increased frequency of attacks has forced Oracle to reduce the time between scheduled Java patches from four months to two months and set the security controls for Java applets in browsers to "High" by default.
Following the Java-based attacks on Twitter, Facebook, Apple and Microsoft engineers that were launched from a compromised community forum for iOS developers, Oracle broke out of its patching cycle to release an emergency security update on Feb. 1.
The company followed that up with another patch on Feb. 19. The next security updates for Java are scheduled for April 16, but it's possible that Oracle will be forced to release an emergency patch again in order to fix this actively exploited vulnerability.
Sign up for CIO Asia eNewsletters.