"We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery," the FireEye researchers said. "Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to 'High' and do not execute any unknown Java applets outside of your organization."
Oracle did not immediately respond to a request for comment regarding its patching plans for this vulnerability.
This is the third time this year attackers have used zero-day Java exploits. The increased frequency of attacks has forced Oracle to reduce the time between scheduled Java patches from four months to two months and set the security controls for Java applets in browsers to "High" by default.
Following the Java-based attacks on Twitter, Facebook, Apple and Microsoft engineers that were launched from a compromised community forum for iOS developers, Oracle broke out of its patching cycle to release an emergency security update on Feb. 1.
The company followed that up with another patch on Feb. 19. The next security updates for Java are scheduled for April 16, but it's possible that Oracle will be forced to release an emergency patch again in order to fix this actively exploited vulnerability.