Oracle released its first quarterly edition of this year’s Critical Patch Update. The update received patches for 378 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In this quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 103, constituting about 27% of the total patches released. Oracle MySQL and Oracle Communications Applications followed, with 43 and 42 security patches.
300 of the 378 security patches provided by the April Critical Patch Update (about 79%) are for non-Oracle CVEs, such as open-source components included and exploitable in the context of their Oracle product distributions.
This batch of security patches received 17 updates for Oracle Database products. The following is the product-wise distribution:
- Seven new security updates for Oracle Database Server with a maximum reported CVSS Base Score of 7.4.
- Two of these updates apply to client-only deployments of the Oracle Database.
- One new security update for Oracle Autonomous Health Framework with a maximum reported CVSS Base Score of 7.5.
- One new security update for Oracle Essbase with a maximum reported CVSS Base Score of 4.1.
- Four new security updates for Oracle GoldenGate with a maximum reported CVSS Base Score of 7.5.
- One new security update for Oracle Graph Server and Client with a maximum reported CVSS Base Score of 5.3.
- One new security update for Oracle Secure Backup with a maximum reported CVSS Base Score of 6.7.
- Two new security updates for Oracle TimesTen In-Memory Database with a maximum reported CVSS Base Score of 7.5.
In these security updates, Oracle has covered product families, including Oracle Database Server, Oracle Autonomous Health Framework, Oracle Essbase, Oracle GoldenGate, Oracle Graph Server and Client, Oracle Secure Backup, Oracle TimesTen In-Memory Database, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Food and Beverage Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Hospitality Applications, Oracle Hyperion, Oracle Insurance Applications, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Policy Automation, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Support Tools, Oracle Systems, Oracle Utilities Applications, and Oracle Virtualization.
Notable Oracle Vulnerabilities Patched
Oracle Communications
This Critical Patch Update for Oracle Communications received 103 security patches. Out of these, 82 vulnerabilities can be exploited over a network without user credentials.
CVE-2024-56337, CVE-2024-52046, CVE-2025-1974, CVE-2025-24813, CVE-2024-40896, and CVE-2024-5535 in different Oracle Communications products have critical severity ratings. A remote attacker may exploit these vulnerabilities without privileges in a low-complexity network attack.
Oracle MySQL
This Critical Patch Update for Oracle MySQL received 43 security patches. Out of these, two vulnerabilities can be exploited over a network without user credentials.
CVE-2024-40896 in MySQL Workbench has a critical severity rating with a CVSS score of 9.1. A remote attacker may exploit these vulnerabilities without privileges in a low-complexity network attack.
Oracle Communications Applications
This Critical Patch Update for Oracle Communications Applications received 42 security patches. Out of these, 35 vulnerabilities can be exploited over a network without user credentials.
CVE-2024-52046, CVE-2025-24813, and CVE-2024-40896 in different Oracle Communications Applications products have critical severity ratings. A remote attacker may exploit these vulnerabilities without privileges in a low-complexity network attack.
Oracle Financial Services Applications
This Critical Patch Update for Oracle Financial Services Applications received 34 security patches. Out of these, 22 vulnerabilities can be exploited over a network without user credentials.
CVE-2024-56337 in Oracle Financial Services Model Management and Governance has a critical severity rating with a CVSS score of 9.8. A remote attacker may exploit these vulnerabilities without privileges in a low-complexity network attack.
Oracle Fusion Middleware
This Critical Patch Update for Oracle Fusion Middleware received 31 security patches. Out of these, 26 vulnerabilities can be exploited over a network without user credentials.
CVE-2024-52046, CVE-2024-38476, CVE-2024-56337, CVE-2024-47561, CVE-2024-40896, and CVE-2024-11053 in different Oracle Fusion Middleware products have critical severity ratings. A remote attacker may exploit these vulnerabilities without privileges in a low-complexity network attack.
Visit the Oracle Critical Patch Update April 2025 (CPUAPR2025) page to describe each vulnerability and the systems it affects.
Customers can scan their network with QIDs 383103, 383102, 383100, 383097, 20473, 20472, 20471, 20470, 20469, 296124, and 87571 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References:
https://www.oracle.com/security-alerts/cpuapr2025.html
