Oracle April 2025 Critical Patch Update Addresses 171 CVEs
Oracle addresses 171 CVEs in its second quarterly update of 2025 with 378 patches, including 40 critical updates.
Background
On April 15, Oracle released its Critical Patch Update (CPU) for April 2025, the second quarterly update of the year. This CPU contains fixes for 171 unique CVEs in 378 security updates across 32 Oracle product families. Out of the 378 security updates published this quarter, 10.6% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 54.5%, followed by high severity patches at 32.3%.
This quarter’s update includes 40 critical patches across 15 CVEs.
| Severity | Issues Patched | CVEs |
|---|---|---|
| Critical | 40 | 15 |
| High | 122 | 52 |
| Medium | 206 | 98 |
| Low | 10 | 6 |
| Total | 378 | 171 |
Analysis
This quarter, the Oracle SQL Developer product family contained the highest number of patches at 103, accounting for 27.3% of the total patches, followed by Oracle Hyperion at 43 patches, which accounted for 11.4% of the total patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
| Oracle Product Family | Number of Patches | Remote Exploit without Auth |
|---|---|---|
| Oracle SQL Developer | 103 | 82 |
| Oracle Hyperion | 43 | 2 |
| Oracle Secure Backup | 42 | 35 |
| Oracle Communications | 34 | 22 |
| Oracle E-Business Suite | 31 | 26 |
| Oracle Commerce | 16 | 11 |
| Oracle Enterprise Manager | 15 | 11 |
| Oracle JD Edwards | 11 | 11 |
| Oracle Hospitality Applications | 8 | 5 |
| Oracle Database Server | 7 | 3 |
| Oracle TimesTen In-Memory Database | 7 | 6 |
| Oracle REST Data Services | 6 | 5 |
| Oracle Analytics | 6 | 5 |
| Oracle Essbase | 4 | 2 |
| Oracle Communications Applications | 4 | 4 |
| Oracle Insurance Applications | 4 | 1 |
| Oracle MySQL | 4 | 2 |
| Oracle Policy Automation | 4 | 4 |
| Oracle Construction and Engineering | 3 | 2 |
| Oracle Financial Services Applications | 3 | 2 |
| Oracle Food and Beverage Applications | 3 | 2 |
| Oracle Java SE | 3 | 3 |
| Oracle PeopleSoft | 3 | 2 |
| Oracle Supply Chain | 3 | 0 |
| Oracle NoSQL Database | 2 | 2 |
| Oracle Retail Applications | 2 | 0 |
| Oracle Siebel CRM | 2 | 2 |
| Oracle Application Express | 1 | 1 |
| Oracle Autonomous Health Framework | 1 | 0 |
| Oracle GoldenGate | 1 | 1 |
| Oracle Graph Server and Client | 1 | 0 |
| Oracle Fusion Middleware | 1 | 1 |
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the April 2025 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
- Oracle Critical Patch Update Advisory - April 2025
- Oracle April 2025 Critical Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Satnam Narang
Senior Staff Research Engineer, Security Response
Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.
Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).
Related articles
CVE-2025-32433: Erlang/OTP SSH Unauthenticated Remote Code Execution Vulnerability
Proof-of-concept code has been released after researchers disclosed a maximum severity remote code execution vulnerability in Erlang/OTP SSH. Successful exploitation could allow for complete takeover of affected devices....
Frequently Asked Questions About the MITRE CVE Program Expiration and Renewal
Concerns about the future of the MITRE CVE Program continue to circulate. The Tenable Security Response Team has created this FAQ to help provide clarity and context around this developing situation....
MITRE CVE Program Funding Extended For One Year
MITRE’s CVE program has been an important pillar in cybersecurity for over two decades. While CISA secured funding on April 16 to extend the program for the next year, the lack of clarity surrounding its long-term future creates great uncertainty about how newly discovered vulnerabilities will be ca...
- Exposure Management
- Vulnerability Management
- Exposure Management
- Vulnerability Management