"Although we stay in touch with Oracle and the communication process has been quite flawless so far, we don't know why Oracle left so many serious bugs for the Oct. CPU," Gowdiak said.

Security Explorations is not aware of any changes in Oracle's patching plans at this time, Gowdiak said. "But, we hope they will stand up to the task and release a Java CPU fixing the security issues as soon as possible."

Oracle did not immediately return a request for comment regarding the vulnerability reports received from Security Explorations. The company has not publicly commented about the two actively exploited vulnerabilities either.