Oracle released its April 2025 Critical Patch Update (CPU), addressing 378 new security vulnerabilities across its extensive product portfolio.
The quarterly security update, announced on Wednesday, contains patches for numerous high-risk flaws, many of which could potentially allow remote exploitation without authentication.
Vulnerability Statistics
| Metric | Count |
|---|---|
| Total vulnerabilities | 378 |
| Remotely exploitable | 255 |
| Critical (CVSS ≥ 9.0) | 40 |
| Very high severity (9.8) | 30 |
| High severity (≥7.0) | 162 |
Critical Vulnerabilities Across Multiple Products
The April 2025 CPU impacts many Oracle products and services, including Oracle Database Server, Java SE, MySQL, Fusion Middleware, E-Business Suite, Communications products, and numerous others. Some of the most concerning vulnerabilities affect Oracle’s core enterprise products widely deployed globally in organizations.
.png
)
Oracle Database Server versions 19.3-19.26, 21.3-21.17, and 23.4-23.7 received patches for multiple security issues, highlighting the importance of updating database systems.
Java SE one of Oracle’s most widely distributed technologies, received patches for versions 8u441, 11.0.26, 17.0.14, 21.0.6, and 24, addressing vulnerabilities potentially impacting millions of systems worldwide.
| CVE ID | Product/Component | CVSS Score | Exploitability | Description |
|---|---|---|---|---|
| CVE-2025-24813 | Oracle Commerce/Guided Search | 9.8 | Remote, No Auth | RCE via Apache Tomcat |
| CVE-2025-21535 | WebLogic Server/Core | 9.8 | Remote, No Auth | RCE via T3, IIOP protocols |
| CVE-2024-45492 | Oracle HTTP Server/LibExpat | 9.8 | Remote, No Auth | RCE via HTTP |
| CVE-2025-30736 | Oracle Database/Java VM | High | Remote, No Auth | Database compromise |
| Multiple | Communications Apps | High | Remote, No Auth | Core telecom infrastructure vulnerabilities |
Remote Exploitation Concerns
What makes this update particularly urgent is that many of the patched vulnerabilities could be exploited remotely without requiring user credentials. Oracle has explicitly warned about the consequences of delayed patching, noting past incidents where attackers successfully compromised systems because “targeted customers had failed to apply available Oracle patches”.
“Oracle strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay,” the company stated in its advisory.
Security experts emphasize this update’s significance due to the number and severity of the vulnerabilities addressed. The patches cover flaws reported by numerous security researchers and organizations, including Google, Amazon AWS Security, Alibaba, Tsinghua University, and various independent security experts.
Oracle uses the Common Vulnerability Scoring System (CVSS) version 3.1 to evaluate the severity of each vulnerability. This standardized approach helps organizations prioritize which patches to implement first based on potential impact and exploitability.
Affected Products & Recommendations
The security update spans Oracle’s entire product ecosystem. Major affected products include:
- MySQL Server (versions 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0)
- Oracle WebLogic Server (versions 12.2.1.4.0, 14.1.1.0.0)
- Oracle Communications products (multiple versions)
- Oracle Financial Services applications
- Oracle Retail applications
- Oracle E-Business Suite (versions 12.2.3-12.2.14)
- PeopleSoft Enterprise products1
Oracle emphasized that patches are only provided for product versions under the Premier Support or Extended Support phases of the Lifetime Support Policy. Organizations running unsupported versions are strongly encouraged to upgrade, as older versions likely suffer from the same vulnerabilities but won’t receive patches1.
For organizations unable to immediately apply patches, Oracle suggests potentially reducing risk by “blocking network protocols required by an attack” or “removing privileges or the ability to access the packages from users that do not need the privileges”.
However, the company stresses these are only temporary measures that “may break application functionality” and “should not be considered a long-term solution.”
Security professionals recommend that organizations implement a risk-based approach to applying these patches. They should prioritize internet-facing systems and critical business applications and test patches thoroughly in non-production environments before deployment.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
