Article

July 2025 Oracle Critical Patch Update Analysis – URGENT ACTION REQUIRED

The Oracle Critical Patch Update (CPU) for July 2025 fixes a total of 309 vulnerabilities, bringing the total number of patches released in 2025 to 1,005, a 17% decrease compared to this point in 2024 in patched CVEs. 

A significant portion of the vulnerabilities fixed in this update can be exploited over a network without requiring user credentials, underscoring the importance of promptly applying security patches.

  • Patches: Of the 309 total new patches, 145 are for vulnerabilities that are remotely exploitable without authentication. This accounts for approximately 47% of the new patches.
  • Product Families: Of the 23 product families that received new security patches, 19 contained at least one vulnerability that could be remotely exploited without authentication. This means approximately 83% of the patched product lines were affected by a remotely exploitable flaw.

As is customary, Oracle did not comment on how many, if any, of the CVEs are under active exploitation. 

For a full list of CVEs and products, refer to the Oracle CPU news release available here.

Products with Critical Vulnerabilities (CVSS Score 9.0+)

Several vulnerabilities with a CVSS v3.1 base score of 9.0 or higher have been addressed. These represent the most severe vulnerabilities and should be prioritized for patching.

  • CVSS 9.8 (Critical):
    • CVE-2024-52046: Affects Oracle Fusion Middleware and Oracle HealthCare Applications via a vulnerability in the third-party Apache Mina component.
    • CVE-2025-31651: Affects multiple products by way of the Apache Tomcat component, including Oracle Fusion Middleware, Oracle Retail Applications, and Oracle Supply Chain.
    • CVE-2025-24813: A vulnerability in the Apache Tomcat component affecting Oracle Hospitality Cruise Shipboard Property Management System.
  • CVSS 9.1 (Critical):
    • CVE-2025-30065: A vulnerability in the Apache Parquet Java component affecting Oracle Business Intelligence Enterprise Edition.
  • CVSS 9.0 (Critical):
    • CVE-2025-50067: Affects the Strategic Planner Starter App component of Oracle Application Express.

Select Product Family Analysis

Oracle Fusion Middleware

  • Total Patches: 36 new security patches.
  • Remote Exploitability: 22 of the vulnerabilities can be exploited remotely without authentication.
  • Highest Severity: The most critical vulnerabilities are CVE-2024-52046 and CVE-2025-31651, both with a CVSS score of 9.8.
    • CVE-2024-52046 affects Middleware Common Libraries and Tools.
    • CVE-2025-31651 impacts the Runtime Server of Oracle Managed File Transfer.
  • Numerous other vulnerabilities with a CVSS score of 8.8 (High) also affect various components, including Oracle Identity Manager, Oracle Service Bus, and Oracle WebLogic Server.
  • Oracle’s Middleware Common Libraries and Tools and the Oracle Healthcare Master Person Index (specifically the Master Index Data Manager module powered by Apache MINA), are exposed to a CVSS 9.8 critical deserialization flaw in the MINA framework—CVE-2024-52046. The issue lies in the ObjectSerializationDecoder, which uses Java’s deserialization mechanism to process incoming data without any checks. If your deployment invokes IoBuffer#getObject() attackers can send manipulated serialized payloads and trigger remote code execution (RCE) on externally facing endpoints.
  • It is important to understand that patching and upgrading version will not be enough to mitigate this security risk. Developers also need to explicitly allow the trusted classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new accept(…) methods. Waratek customers are safe by default—the platform’s built‑in “deserial/marshal” rule automatically blocks unsafe Java deserialization without any extra configuration. This means out of the box, any malicious serialized payloads targeting ObjectSerializationDecoder or similar vectors are prevented from executing. In short, Waratek users get effective protection against this category of deserialization attacks as soon as the product is deployed, with no need for custom rules or code changes.

Oracle PeopleSoft

  • Total Patches: 7 new security patches.
  • Remote Exploitability: 3 of the vulnerabilities can be exploited remotely without authentication.
  • Highest Severity: The highest-scoring vulnerability is CVE-2025-50062, with a CVSS score of 8.1, impacting PeopleSoft Enterprise HCM Global Payroll Core. The next most severe, CVE-2025-24970 (CVSS 7.5), affects the Open Search component in PeopleTools and is remotely exploitable.

Oracle E-Business Suite (EBS)

  • Total Patches: 9 new security patches.
  • Remote Exploitability: 3 of the vulnerabilities can be exploited remotely without authentication.
  • Highest Severity: Three vulnerabilities share the highest CVSS score of 8.1:
    • CVE-2025-30743 in Oracle Lease and Finance Management.
    • CVE-2025-30744 in Oracle Mobile Field Service.
    • CVE-2025-50105 in Oracle Universal Work Queue.
  • Important Note: Oracle recommends that customers apply the latest CPU to the underlying Oracle Database and Oracle Fusion Middleware components, as vulnerabilities in those products may impact EBS environments.

Oracle Java SE

  • Total Patches: 11 new security patches.
  • Remote Exploitability: 10 of the vulnerabilities can be exploited remotely without authentication. These vulnerabilities typically affect client deployments (Java Web Start applications or applets) that run untrusted code from the internet.
  • Highest Severity: The highest-scoring vulnerability is CVE-2025-50059 with a CVSS score of 8.6, affecting the Networking component. Two other vulnerabilities,
    CVE-2025-30749 and CVE-2025-50106, both have a CVSS score of 8.1 and affect the 2D component.
  • In this update, Oracle addresses a high-severity flaw (CVE-2025-50059) in the HTTP client, which risks leaking sensitive headers—cookies, tokens, or credentials—to unintended domains via cross-domain redirects. The vulnerability is classified as a high severity risk and can be triggered remotely without authentication, making it immediate target in the wild.
  • The CPU also addresses CVE-2025-30754 in the TLS 1.3 handshake where Java’s JSSE client may accept a session without verifying the EncryptedExtensions message. This compromise in protocol integrity enables man-in-the-middle attackers to intercept or manipulate supposedly secure connections, threatening both confidentiality and trust of communications.
  • CVE‑2025‑30761 represents a critical vulnerability in the Nashorn JavaScript engine included with Oracle Java SE and GraalVM, affecting versions 8u451, 11.0.27, and GraalVM 21.3.14. Nashorn was intended to run JavaScript in a sandboxed environment, with options like –no-java and ClassFilter designed to eliminate access to Java APIs. However, a researcher has demonstrated a bypass that circumvents these restrictions, allowing adversaries to access any Java object and run unchecked code—even when sandboxing is explicitly enforced. The vulnerability enables remote, unauthenticated attackers to achieve arbitrary code execution in Nashorn environments, undermining the foundational security mechanisms intended to restrict unauthorized script execution. This flaw exposes a critical risk: environments that rely on Nashorn to execute untrusted JavaScript—such as web-start applications, client-side scripting hosts, or hybrid plugins—can be fully compromised. The integrity of the JVM, data confidentiality, and overall application availability are directly at risk.
  • CVE-2025-50106, patches a pointer-calculation bug in the Java 2D font-handling subsystem (CGGlyphImages_GetGlyphImagePtrs) that may trigger out-of-bounds memory access, leading to crashes or even arbitrary code execution if malicious font or glyph data is supplied.
  • CVE-2025-50106 corrects an earlier, incomplete fix for the related CVE-2025-30749 issue. Combined, these 2D vulnerabilities pose serious risks, especially in applications that process untrusted font or graphic inputs.
  • Non Waratek customers must upgrade to Java versions 8u461, 11.0.28, 17.0.16, 21.0.8, or 24.0.2 immediately. It is also crucial to audit all TLS, HTTP client usage, reassess any deployment using Nashorn under –no-java or ClassFilter. Also audit any use of Java 2D components. 

Urgent Action Required 

While the July 2025 Oracle Critical Patch Update Advisory shows an 18% decrease in the number of vulnerabilities compared to the April 2025 update, the advisory addresses critical vulnerabilities requiring urgent patching.

Waratek Secure customers are protected by default against all instances of remote command execution, reducing the severity of each flaw to low. Further, critical CVE-2024-52046 is covered by Secure’s deserialization rule by default.

For More Information

Waratek Customers should contact [email protected] for more specific information about how the July 2025 Oracle Critical Patch Update may impact your applications.  

If you are interested in how Waratek can help patch and protect your applications with no downtime or source code changes, please contact [email protected].

Related resources

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.