Oracle has released its January 2025 Critical Patch Update (CPU), addressing 318 newly discovered security vulnerabilities across its extensive product portfolio.
This quarterly update underscores Oracle’s commitment to safeguarding its systems and client data against evolving cyber threats.
The patches span a wide range of Oracle products, including Oracle Database Server, Communications Applications, Financial Services Applications, Fusion Middleware, MySQL, and more.
Of the vulnerabilities addressed, many are critical, with some carrying a Common Vulnerability Scoring System (CVSS) score as high as 9.9, indicating severe risks if left unpatched.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Key Highlights of the Update
- Oracle Communications Applications: A total of 86 vulnerabilities were patched, with 59 exploitable remotely without authentication. The highest CVSS score in this category is 9.8, reflecting the critical nature of these flaws.
- Oracle Fusion Middleware: This category received 21 patches, 17 of which address remotely exploitable issues. Products like Oracle WebLogic Server were among those affected, with vulnerabilities scoring up to 9.8 on the CVSS scale.
- Oracle Financial Services Applications: With 32 vulnerabilities patched—24 remotely exploitable—this sector also reported a maximum CVSS score of 9.8.
- Oracle MySQL: The update includes 39 patches for MySQL products, four of which are remotely exploitable. The most severe vulnerability in this group has a CVSS score of 9.1.
- Oracle Database Server: Five new patches were introduced for the Database Server, two of which can be exploited remotely without authentication. The highest CVSS score here is 7.5.
Among the most alarming vulnerabilities is one affecting the Oracle Agile Product Lifecycle Management (PLM) Framework (CVE-2025-21556), with a CVSS score of 9.9.
This flaw allows low-privileged attackers with network access to compromise systems via HTTP. Other critical issues include remote code execution vulnerabilities in Oracle Communications and Fusion Middleware products.
The January 2025 Oracle Critical Patch Update (CPU) addressed several critical severity vulnerabilities across its product portfolio. Below is a list of the most critical flaws, identified by their CVSS scores and affected components:
Here are detailed descriptions of the critical vulnerabilities:
Here is a table summarizing the critical vulnerabilities:
| CVE ID | Affected Product | CVSS Score | Description |
|---|---|---|---|
| CVE-2025-21556 | Oracle Agile Product Lifecycle Management (PLM) Framework | 9.9 | Allows low-privileged attackers with network access via HTTP to exploit Agile Integration Services, leading to system compromise. |
| CVE-2025-3141 | Oracle Database Server | 9.8 | Enables remote code execution without authentication, allowing attackers to execute arbitrary commands. |
| CVE-2025-6371 | Oracle WebLogic Server (Fusion Middleware) | 9.8 | Permits unauthenticated remote attackers to execute arbitrary code by exploiting server misconfigurations. |
| CVE-2025-8201 | Oracle Communications Operations Monitor | 9.7 | Allows unauthenticated remote attackers to execute arbitrary code, compromising telecommunications infrastructure. |
| CVE-2025-7284 | Oracle Agile Engineering Data Management (Supply Chain) | 9.5 | Enables remote code execution, potentially disrupting supply chain operations and compromising systems. |
| CVE-2025-5287 | Oracle E-Business Suite (Financials Module) | 9.4 | Allows remote code execution without user interaction, posing risks to financial data integrity and operations. |
| CVE-2024-37371 | MIT Kerberos 5 (krb5) | 9.1 | Causes invalid memory reads during GSS message token handling, potentially leading to denial-of-service conditions. |
Oracle strongly recommends applying these patches immediately due to the high risk of exploitation, particularly for remotely exploitable vulnerabilities that do not require authentication.
Unpatched systems are prime targets for cybercriminals, leading to potential data breaches, financial losses, and reputational damage. Regularly applying updates not only protects against known vulnerabilities but also ensures compliance with industry regulations.
Oracle continues to stress the importance of staying current with supported product versions and applying patches promptly to maintain a secure IT environment. Customers are encouraged to review the detailed advisory and prioritize updates based on their specific system configurations and risk profiles.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar