Oracle Critical Patch Update, October 2025 Security Update Review

Posted by Author Diksha Ojha on Posted on

Oracle released its third quarterly edition of this year’s Critical Patch Update. The update received patches for 374 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.

In this quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 73, constituting about 19% of the total patches released. Oracle Communications Applications and Oracle Financial Services Applications followed, with 64 and 33 security patches.

298 of the 374 security patches provided by the October Critical Patch Update (about 80%) are for non-Oracle CVEs, such as open-source components included and exploitable in the context of their Oracle product distributions.

This batch of security patches received 18 updates for Oracle Database products. The following is the product-wise distribution:

  • Six new security updates for Oracle Database Server with a maximum reported CVSS Base Score of 7.3.
      • One of these updates applies to client-only deployments of the Oracle Database.
  • Four new security updates for Oracle Essbase with a maximum reported CVSS Base Score of 8.1.
  • Six new security updates for Oracle GoldenGate with a maximum reported CVSS Base Score of 9.8.
  • One new security update for Oracle Graph Server and Client with a maximum reported CVSS Base Score of 6.5.
  • One new security update for Oracle REST Data Services with a maximum reported CVSS Base Score of 4.3.

In these security updates, Oracle has covered product families, including Oracle Database Server, Oracle Essbase, Oracle GoldenGate, Oracle Graph Server and Client, Oracle REST Data Services, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Health Sciences Applications, Oracle HealthCare Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle Insurance Applications, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications, and Oracle Virtualization.

Notable Oracle Vulnerabilities Patched

Oracle Communications

This Critical Patch Update for Oracle Communications received 73 security patches. Out of these, 47 vulnerabilities can be exploited over a network without user credentials.

CVE-2025-6965, CVE-2025-4517, and CVE-2025-49796 in different Oracle Communications products have critical severity ratings with a CVSS score of 9.8, 9.4, and 9.1, respectively.

Oracle Communications Applications

This Critical Patch Update for Oracle Communications Applications received 64 security patches. Out of these, 46 vulnerabilities can be exploited over a network without user credentials.

CVE-2025-6965, CVE-2024-37371, and CVE-2025-49796 in different products of Oracle Communications Applications have critical severity ratings. An attacker may exploit these vulnerabilities without privileges in a low-complexity network attack.

Oracle Financial Services Applications

This Critical Patch Update for Oracle Financial Services Applications received 33 security patches. Out of these, 29 vulnerabilities can be exploited over a network without user credentials.

CVE-2025-53037 and CVE-2025-6965, impacting different Oracle Financial Services Applications products, have critical severity ratings with a CVSS score of 9.8. In a low-complexity network attack, a remote attacker may exploit these vulnerabilities without privileges.

Oracle Fusion Middleware

This Critical Patch Update for Oracle Fusion Middleware received 20 security patches. Out of these, 17 vulnerabilities can be exploited over a network without user credentials.

CVE-2025-61757 and CVE-2023-45853 in different Oracle Fusion Middleware products have critical severity ratings with a CVSS score of 9.8. In a low-complexity network attack, a remote attacker may exploit these vulnerabilities without privileges.

Oracle MySQL

This Critical Patch Update for Oracle MySQL received 18 security patches. Out of these, seven vulnerabilities can be exploited over a network without user credentials.

CVE-2025-6965 and CVE-2025-4517 in MySQL Workbench have critical severity ratings with a CVSS score of 9.8 and 9.4. In a low-complexity network attack, a remote attacker may exploit these vulnerabilities without privileges.

Oracle PeopleSoft

This Critical Patch Update for Oracle PeopleSoft received 18 security patches. Out of these, seven vulnerabilities can be exploited over a network without user credentials.

CVE-2025-4517 in PeopleSoft Enterprise PeopleTools has critical severity ratings with a CVSS score of 9.4. In a low-complexity network attack, a remote attacker may exploit these vulnerabilities without privileges.

Visit the Oracle Critical Patch Update October 2025 (CPUOCT2025) page to describe each vulnerability and the systems it affects.

Customers can scan their network with QIDs 385598, 385596, 385595, 385593, 20513, 20514, 20511, 20509, 296129, and 87593 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References:
https://www.oracle.com/security-alerts/cpuoct2025.html

Leave a Reply

Your email address will not be published. Required fields are marked *