Oracle April 2025 CPU: 378 Security Patches Released

On April 15, 2025, Oracle released its latest Critical Patch Update (CPU), delivering a sweeping set of 378 new security patches across its expansive product portfolio.

The April 2025 edition spans databases, middleware, cloud services, and communications applications, some of which are core to global financial institutions, telecom providers, and cloud-native platforms.

Key Highlights:

• Oracle Communications Applications received 42 new security patches, with 35 vulnerabilities remotely exploitable without authentication.
• Oracle Commerce saw 6 new patches, including five critical RCE vulnerabilities, such as CVE-2025-24813 (CVSS 9.8), affecting Apache Tomcat in the Guided Search component.
• Oracle Database Server was updated with 7 new patches, 3 of which are remotely exploitable, such as CVE-2025-30736, impacting Java VM.
• Oracle GoldenGate and TimesTen In-Memory Database both had multiple high-severity vulnerabilities, including CVEs involving Axios, Apache Commons IO, and Netty.

Critical Vulnerability Statistics

• Total vulnerabilities addressed: 378
• Unique CVEs fixed (excluding duplicates across products): 171
• Remotely exploitable without authentication: 255 vulnerabilities
• High-severity issues (CVSS v3.1 score ≥ 7.0): 162 vulnerabilities
• CVSS ≥ 9.0 (Critical): 40 vulnerabilities
• CVSS 9.8 (very high severity): 30 vulnerabilities
• No CVSS 10.0 vulnerabilities were reported

The CPU affects a wide swath of Oracle offerings, including:

• Oracle Database Server (versions 19.3–23.7)
• Oracle Communications Suite (Unified Assurance, Messaging Server, Network Integrity)
• Oracle GoldenGate, Graph Server, Essbase, Secure Backup
• Oracle Java SE, Fusion Middleware, SOA Suite, WebLogic Server
• Retail, Financial Services, E-Business Suite, PeopleSoft, and more

Oracle reiterates in its advisory that “attackers have been successful because targeted customers had failed to apply available Oracle patches.” The company urges users to remain on actively supported versions and apply the updates without delay.

For organizations lagging behind on previous patch cycles, Oracle warns that older versions likely share vulnerabilities and strongly recommends upgrades to supported versions.

Related Posts:

• CISA Sounds the Alarm on Actively Exploited Apple and Oracle Zero-Days
• Oracle Discloses Second Hack (Client Login Data)
• Intel didn’t disclose U.S. Government about CPU flaws until vulnerabilities went public
• Critical Vulnerabilities & Major Cyberattacks: April 7-13 Recap
• Experts speculate hackers begin to remotely exploit Intel CPU vulnerabilities

About The Author

Ddos

Ddos is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.

See author's posts