Oracle releases October 2025 Critical Patch Update addressing 374 vulnerabilities

Oracle has released its quarterly Critical Patch Update for October 2025 with 374 new security patches fixing issues in the Oracle product ecosystem.

The security update addresses vulnerabilities in Oracle's major product families, including Oracle Database Server versions 19.3-19.28, 21.3-21.19, and 23.4-23.9; Oracle Java SE versions affecting 8u461, 11.0.28, 17.0.16, 21.0.8, and 25; MySQL Server versions 8.0.0-8.0.43, 8.4.0-8.4.6, and 9.0.0-9.4.0; and Oracle WebLogic Server versions 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0.

Critical vulnerabilities (CVSS score 9.8)

• CVE-2025-53072 - affecting Oracle Marketing, allowing remote exploitation without authentication
• CVE-2025-62481 - affecting Oracle Marketing, enabling remote code execution without authentication
• CVE-2025-61757 - affecting Identity Manager REST WebServices, allowing remote exploitation without authentication
• CVE-2023-45853 - affecting Oracle Outside In Technology, enabling remote code execution without authentication
• CVE-2025-6965 - affecting multiple products including MySQL Workbench, Oracle Communications Converged Charging System, Oracle Communications Convergent Charging Controller, Oracle Communications Messaging Server, Oracle Communications Network Charging and Control, Oracle Communications Unified Assurance, Oracle Communications Cloud Native Core Certificate Management, Oracle Communications Cloud Native Core Policy, Oracle Communications Cloud Native Core Unified Data Repository, Oracle Communications Network Analytics Data Director, and Oracle Financial Services Compliance Studio, allowing remote exploitation without authentication
• CVE-2025-53037 - affecting Oracle Financial Services Analytical Applications Infrastructure, allowing remote exploitation without authentication
• CVE-2024-52046 - affecting JD Edwards EnterpriseOne Tools, allowing remote exploitation without authentication
• CVE-2025-31651 - affecting Siebel CRM Deployment, allowing remote exploitation without authentication
• CVE-2024-52577 - affecting Oracle GoldenGate Stream Analytics, allowing remote exploitation without authentication

Critical vulnerabilities (CVSS score 9.4)

• CVE-2025-4517 - affecting multiple products including MySQL Workbench, PeopleSoft Enterprise PeopleTools, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core DBTier, Oracle Communications Cloud Native Core Network Slice Selection Function, Oracle Communications Cloud Native Core Policy, Oracle Communications Diameter Signaling Router, and Oracle Communications Network Analytics Data Director, enabling remote code execution without authentication

Critical vulnerabilities (CVSS score 9.1)

• CVE-2025-49796 - affecting multiple products including MySQL Cluster, MySQL Workbench, Oracle Communications Converged Charging System, Oracle Communications Unified Inventory Management, and multiple Oracle Communications Cloud Native Core components, allowing remote exploitation without authentication
• CVE-2024-37371 - affecting Oracle Communications Converged Charging System, allowing remote exploitation without authentication

High Severity vulnerabilities (CVSS score 8 and above)

• CVE-2025-48734 (CVSS score 8.8) - affecting multiple products (Apache Commons BeanUtils vulnerability affecting Oracle JDeveloper, Oracle Hospitality Cruise Shipboard Property Management System, Oracle Hyperion Calculation Manager, Oracle Hyperion Infrastructure Technology, Oracle Hyperion Planning, Oracle Documaker, Oracle Insurance Policy Administration J2EE, PeopleSoft Enterprise PeopleTools, JD Edwards EnterpriseOne Tools, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Console, Oracle Communications Operations Monitor, Oracle Retail Invoice Matching, Oracle Retail Price Management, Retail Predictive Application Server, Oracle Solaris Cluster, and Oracle Utilities Application Framework)
• CVE-2025-57803 (CVSS score 8.8) - affecting Oracle Communications Operations Monitor
• CVE-2025-53643 (CVSS score 8.6) - affecting Oracle Communications Cloud Native Core Network Function Cloud Native Environment
• CVE-2025-53036 (CVSS score 8.6) - affecting Oracle Financial Services Analytical Applications Infrastructure
• CVE-2025-32990 (CVSS score 8.2) - affecting Oracle Communications Unified Inventory Management
• CVE-2025-53049 (CVSS score 8.4) - affecting Oracle Business Intelligence Enterprise Edition Analytics Web Administration component
• CVE-2025-62587 (CVSS score 8.2) - affecting Oracle VM VirtualBox
• CVE-2025-62588 (CVSS score 8.2) - affecting Oracle VM VirtualBox
• CVE-2025-62589 (CVSS score 8.2) - affecting Oracle VM VirtualBox
• CVE-2025-62641 (CVSS score 8.2) - affecting Oracle VM VirtualBox
• CVE-2025-62590 (CVSS score 8.2) - affecting Oracle VM VirtualBox
• CVE-2020-11988 (CVSS score 8.2) - affecting Oracle Financial Services Analytical Applications Infrastructure
• CVE-2025-27363 (CVSS score 8.1) - affecting Primavera P6 Enterprise Project Portfolio Management, Primavera Unifier, and Oracle Documaker
• CVE-2025-53043 (CVSS score 8.1) - affecting Oracle Product Hub
• CVE-2024-23807 (CVSS score 8.1) - affecting Oracle Hyperion Financial Management
• CVE-2025-61751 (CVSS score 8.1) - affecting Oracle Financial Services Analytical Applications Infrastructure
• CVE-2025-61763 (CVSS score 8.1) - affecting Oracle Essbase

Apart from these flaws, the advisory contains over 330 other vulnerabilities patched with lower severity.

Oracle strongly recommends that customers apply these Critical Patch Update security patches as soon as possible, especially for vulnerabilities that can be exploited remotely without authentication.

The next Critical Patch Updates are scheduled for January 20, 2026, April 21, 2026, July 21, 2026, and October 20, 2026, following Oracle's quarterly release schedule.