Oracle Addresses 309 Security Vulnerabilities in Latest Critical Patch Update

Oracle has released its quarterly Critical Patch Update (CPU) for July 2025, addressing a substantial 309 security vulnerabilities across its comprehensive product portfolio.

This release represents one of the most significant security updates from Oracle, spanning database systems, middleware, enterprise applications, and cloud native services.

The company continues to emphasize the critical importance of immediate patch deployment, particularly as it receives ongoing reports of successful attacks against customers who have failed to apply available security patches.

The July 2025 CPU affects virtually every major Oracle product family, with some categories experiencing particularly heavy patch loads.

Oracle Communications leads with 84 new security patches, followed by MySQL with 40 patches, and Fusion Middleware with 36 patches.

The Oracle Database Server receives 6 new patches, while Java SE addresses 11 vulnerabilities. Enterprise applications including E-Business Suite (9 patches), PeopleSoft (7 patches), and Retail Applications (11 patches) also receive significant security updates.

Several critical vulnerabilities with CVSS scores of 9.0 and above demand immediate attention.

CVE-2025-31651 affecting Oracle Managed File Transfer, Oracle Retail Xstore Office, and Oracle Agile systems carries a maximum CVSS score of 9.8, indicating remotely exploitable vulnerabilities without authentication.

CVE-2024-52046 in Oracle Middleware Common Libraries and Oracle Healthcare Master Person Index also scores 9.8, while CVE-2025-24813 in Oracle Hospitality Cruise Shipboard Property Management System presents similar critical risk levels.

Remote Exploitation Risks

A particularly concerning aspect of this update is the prevalence of remotely exploitable vulnerabilities that require no authentication.

The advisory identifies vulnerabilities that can be exploited over a network without requiring user credentials, making them prime targets for attackers.

Oracle Communications products face the highest exposure with 50 remotely exploitable vulnerabilities, while Fusion Middleware contains 22 such vulnerabilities.

These authentication bypass vulnerabilities represent the most immediate threat to organizations, as they can be exploited directly from the internet without insider access.

The update also addresses numerous third-party component vulnerabilities integrated into Oracle products. These include fixes for Apache Tomcat, Spring Framework, Apache Kafka, and various networking libraries.

Oracle has provided VEX (Vulnerability Exploitability eXchange) justifications for non-exploitable third-party CVEs, explaining why certain vulnerabilities cannot be exploited within Oracle’s implementation context.

Immediate Action Required

Oracle strongly recommends that customers apply Critical Patch Update security patches without delay, emphasizing that targeted attacks have succeeded against organizations that failed to deploy available patches.

The company warns that prior Critical Patch Update advisories should be reviewed for organizations that have skipped previous updates.

For customers concerned about application functionality, Oracle suggests testing changes on non-production systems while noting that workarounds should not be considered long-term solutions.

The security advisory credits 27 security researchers and organizations for discovering and reporting vulnerabilities, including contributors from various cybersecurity firms, academic institutions, and independent researchers.

This collaborative approach continues to strengthen Oracle’s security posture through responsible disclosure practices.

The next Critical Patch Updates are scheduled for October 21, 2025, and January 20, 2026, maintaining Oracle’s quarterly security update cadence.

Organizations should prioritize testing and deployment of these patches immediately, particularly for systems with internet-facing components or those handling sensitive data.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.