What is Oracle's July 2025 Critical Patch Update?

Oracle's July 2025 Critical Patch Update is a quarterly security release containing 309 new security patches that fix vulnerabilities across Oracle's product ecosystem. Oracle strongly recommends customers apply these patches without delay as they continue to receive reports of successful exploitation of vulnerabilities for which patches have already been released.

How many security patches are included in Oracle's July 2025 update?

The July 2025 Critical Patch Update includes 309 new security patches fixing issues across Oracle's product ecosystem. This includes critical vulnerabilities, high severity vulnerabilities, and over 250 other vulnerabilities with lower severity ratings.

What Oracle products are affected by the July 2025 security update?

The security update affects major Oracle product families including Oracle Database Server (versions 19.3-19.27, 21.3-21.18, and 23.4-23.8), Oracle Java SE (versions 8u451, 11.0.27, 17.0.15, 21.0.7, and 24.0.1), MySQL Server (versions 8.0.0-8.0.42, 8.4.0-8.4.5, and 9.0.0-9.3.0), and Oracle WebLogic Server (versions 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0).

What are the most critical vulnerabilities in Oracle's July 2025 patch update?

The most critical vulnerabilities include CVE-2024-52046 (CVSS 9.8) affecting Oracle Middleware Common Libraries and Healthcare Master Person Index, CVE-2025-31651 (CVSS 9.8) affecting Oracle Managed File Transfer and multiple retail/engineering products, CVE-2025-24813 (CVSS 9.8) affecting Oracle Hospitality and Siebel CRM, and CVE-2025-30065 (CVSS 9.1) affecting Oracle Business Intelligence Enterprise Edition. All of these allow remote exploitation without authentication.

What high severity vulnerabilities are included in the Oracle July 2025 update?

High severity vulnerabilities (CVSS score 8 and above) include CVE-2025-50067 (CVSS 9.0) affecting Oracle Application Express, CVE-2024-25638 (CVSS 8.9) affecting Oracle Communications products, CVE-2025-48734 (CVSS 8.8) affecting multiple products including WebLogic Server and Identity Manager, and several CVEs with 8.2 scores affecting Oracle VM VirtualBox, Enterprise Data Quality, and Communications products.

Which Oracle Java versions are affected by the July 2025 security update?

The July 2025 security update affects Oracle Java SE versions 8u451, 11.0.27, 17.0.15, 21.0.7, and 24.0.1. Several vulnerabilities specifically target Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition.

How many total vulnerabilities does Oracle's July 2025 patch address?

Oracle's July 2025 Critical Patch Update addresses over 309 vulnerabilities in total, including critical vulnerabilities with CVSS scores of 9.8 and 9.1, high severity vulnerabilities with CVSS scores of 8.0 and above, and over 250 other vulnerabilities with lower severity ratings.

Advisory

Oracle releases July 2025 Critical Patch Update addressing 309 vulnerabilities

Q: When are the next Oracle Critical Patch Updates scheduled?

The next Oracle Critical Patch Updates are scheduled for October 21, 2025, January 20, 2026, April 21, 2026, and July 21, 2026, following Oracle's quarterly release schedule.

published: July 16, 2025

Take action: One more massive patch release covering all products of Oracle. Make sure you review the list of products with critical vulnerabilities, then go through the full list. It's going to be a long patching process. Prioritize products with critical flaws and move onward. As usual, always make a backup before running a patch on Oracle product.

Learn More

Oracle has released its quarterly Critical Patch Update for July 2025 with 309 new security patches fixing issues in the Oracle product ecosystem.

Oracle strongly recommends that customers remain on actively-supported versions and apply these security patches without delay, as they continue to receive reports of successful exploitation of vulnerabilities for which patches have already been released.

The security update addresses vulnerabilities across Oracle's major product families, with significant coverage including Oracle Database Server versions 19.3-19.27, 21.3-21.18, and 23.4-23.8; Oracle Java SE versions affecting 8u451, 11.0.27, 17.0.15, 21.0.7, and 24.0.1; MySQL Server versions 8.0.0-8.0.42, 8.4.0-8.4.5, and 9.0.0-9.3.0; and Oracle WebLogic Server versions 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0.

Critical vulnerabilties

CVE-2024-52046 (CVSS score 9.8) - affecting Oracle Middleware Common Libraries and Tools, and Oracle Healthcare Master Person Index, allowing remote exploitation without authentication
CVE-2025-31651 (CVSS score 9.8) - affecting Oracle Managed File Transfer, Oracle Retail Xstore Office, Oracle Agile Engineering Data Management, and Oracle Agile PLM, enabling remote code execution without authentication
CVE-2025-24813 (CVSS score 9.8) - affecting Oracle Hospitality Cruise Shipboard Property Management System and Siebel CRM Deployment
CVE-2025-30065 (CVSS score 9.1) - affecting Oracle Business Intelligence Enterprise Edition Analytics Server component
CVE-2025-50067 (CVSS score 9.0) - affecting Oracle Application Express Strategic Planner Starter App

High Severity vulnerabilities (CVSS score 8 and above)

CVE-2024-25638 (CVSS score 8.9) - affecting Oracle Communications Cloud Native Core Network Data Analytics Function and Network Exposure Function
CVE-2025-48734 (CVSS score 8.8) - affecting multiple products including Multiple products (Apache Commons BeanUtils vulnerability affecting Oracle Data Integrator, Identity Manager, WebLogic Server, Communications Applications, Financial Services Applications, Construction and Engineering, Enterprise Manager, Analytics, HealthCare Applications, Retail Applications)
CVE-2025-30751 (CVSS score 8.8) - affecting Oracle Database Server
CVE-2023-42917 (CVSS score 8.8) - affecting Oracle WebCenter Enterprise Capture
CVE-2025-50059 (CVSS score 8.6) - affecting Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition
CVE-2024-56406 (CVSS score 8.6) - affecting Oracle Communications Billing and Revenue Management
CVE-2025-23016 (CVSS score 8.2) - affecting Oracle Communications Core Session Manager, Session Border Controller, Enterprise Communications Broker
CVE-2025-49146 (CVSS score 8.2) - affecting Oracle Enterprise Data Quality
CVE-2025-53024 (CVSS score 8.2) - affecting Oracle VM VirtualBox
CVE-2025-53027 (CVSS score 8.2) - affecting Oracle VM VirtualBox
CVE-2025-53028 (CVSS score 8.2) - affecting Oracle VM VirtualBox
CVE-2025-27363 (CVSS score 8.1) - affecting Multiple Communications products, Oracle AutoVue
CVE-2025-30743 (CVSS score 8.1) - affecting Oracle Lease and Finance Management
CVE-2025-30744 (CVSS score 8.1) - affecting Oracle Mobile Field Service
CVE-2025-50105 (CVSS score 8.1) - affecting Oracle Universal Work Queue
CVE-2025-30749 (CVSS score 8.1) - affecting Oracle Java SE, Oracle GraalVM
CVE-2025-50106 (CVSS score 8.1) - affecting Oracle Java SE, Oracle GraalVM
CVE-2025-50062 (CVSS score 8.1) - affecting PeopleSoft Enterprise HCM Global Payroll Core
CVE-2025-24813 (CVSS score 8.1) - affecting Siebel CRM Deployment (note: this CVE appears twice with different scores - 9.8 for Hospitality and 8.1 for Siebel)
CVE-2023-27349 (CVSS score 8.0) - affecting Oracle Communications User Data Repository

Apart from these flaws, the advisory contains over 250 other vulnerabilities patched with lower severity.

Oracle strongly recommends that customers apply these Critical Patch Update security patches as soon as possible, especially for vulnerabilities that can be exploited remotely without authentication.

The next Critical Patch Updates are scheduled for October 21, 2025, January 20, 2026, April 21, 2026, and July 21, 2026, following Oracle's quarterly release schedule.

Oracle releases July 2025 Critical Patch Update addressing 309 vulnerabilities

Read More
Researchers report critical flaws in CyberArk vaults
Fortinet authentication bypass flaw enables device takeover
Critical Cellbreak Vulnerability in Grist-Core Enables Remote Code …
Critical SQL Injection and XSS flaws reported in …
n8n Patches More Critical Command Injection and Sandbox …