The Oracle Critical Patch Update (CPU) for October 2025 fixes a total of 374 vulnerabilities, bringing the total number of patches released in 2025 to 1,379, an 11% decrease compared to 2024.
Of the new patches, 221 are for vulnerabilities that are remotely exploitable without authentication. This accounts for 59% of the new patches.
As is customary, Oracle did not comment on how many, if any, of the CVEs are under active exploitation.
For a full list of CVEs and products, refer to the Oracle CPU news release available here.
Commentary
Java SE receives five new security fixes, all of which can be exploited remotely without requiring any prior authentication.
CVE-2025-53066 in the JAXP component allows unauthenticated remote attackers to read and extract sensitive data such as secrets and credentials from the application’s memory space.
Also, in the latest Java SE CPU, if the secure processing feature is enabled on the XPathFactory and the app processes raw XML that contains external DTD references, the XPath evaluation will fail with an XPathExpressionException. It is a sensible hardening, but it will break any flows that rely on external XML, XSD, or XSL references.
Action items: inventory calls to XPathFactory.newInstance() and any code paths that evaluate raw XML, run a quick dev sweep and regression tests, install the latest Java CPU, and make sure your code catches and handles XPathExpressionException so failures do not become denial of service vectors. Where possible prefer evaluating a DOM you control rather than parsing raw XML, and avoid broad overrides to external access. This aligns with long standing XXE guidance and with Oracle’s recommendation to use the XPath processor on DOMs rather than raw XML.
The Fusion Middleware update is more extensive, featuring 20 new security patches, 17 of these are remotely exploitable without authentication. This means nearly all of the new security issues in Fusion Middleware can be exploited by an external attacker over a network without needing a username or password.
The vulnerability CVE-2025-61757 in the Oracle Identity Manager (OIM) REST WebServices component represents the highest level of risk. An attacker can exploit this flaw remotely over the network without any authentication. This is likely a failure in the application’s input handling, such as a code injection or a logic flaw in how it processes incoming API requests.
The business impact is catastrophic: successful exploitation could lead to complete system control of the OIM server. Since OIM manages all user identities and access privileges, a compromise means the attacker gains the ability to create, modify, or delete any user account and grant themselves access to all integrated enterprise applications and data. This results in a total breach of confidentiality and integrity.
The issue CVE-2023-45853 affecting the Outside In Technology’s bundled zlib component is also remotely exploitable without authentication. The root cause is a memory flaw, triggered by processing malicious compressed files. By simply sending a file with specially crafted metadata, an attacker can corrupt the application’s memory, leading to remote code execution.
CVE-2025-48734, located in the JDeveloper ADF components, is a high severity issue that requires a low privileged user to initiate the attack. This flaw exploits the framework’s use of the Apache Commons BeanUtils library. The vulnerability allows users to manipulate how the application processes object properties and escalate their privileges to that of an administrator or the system itself leading to data tampering and full system compromise.
Beyond these critical flaws, there is an extensive list of patches for third party dependencies in Fusion Middleware, including Apache Commons BeanUtils, Apache ActiveMQ, and Apache Kafka. This confirms that dependency hygiene is still a major security challenge.
Select Product Analysis
Oracle E-Business Suite (EBS)
- Total Patches: 9
- Remote (No Auth): 6
- Highest CVSS: 9.8 (Critical)
- Key Vulnerabilities: Two 9.8 CVSS vulnerabilities (CVE-2025-53072, CVE-2025-62481) affect the Oracle Marketing component. These are remotely exploitable without authentication.
- Affected Versions: 12.2.3-12.2.14
Oracle Fusion Middleware
- Total Patches: 20
- Remote (No Auth): 17
- Highest CVSS: 9.8 (Critical)
- Key Vulnerabilities: This suite has two 9.8 CVSS flaws:
- Identity Manager (CVE-2025-61757)
- Outside In Technology (CVE-2023-45853)
- WebLogic Server (Specific Focus): Oracle WebLogic Server itself receives 4 new patches. Its highest CVSS is 7.5 (High) for CVE-2025-61752, which is remotely exploitable.
Oracle PeopleSoft
- Total Patches: 18
- Remote (No Auth): 7
- Highest CVSS: 9.4 (Critical)
- Key Vulnerability: The 9.4 CVSS flaw (CVE-2025-4517) is in a Python component within PeopleTools and is remotely exploitable without authentication.
- Affected Versions: PeopleTools 8.60, 8.61, 8.62
Oracle Database Server
- Total Patches: 6
- Remote (No Auth): 2
- Highest CVSS: 7.3 (High)
- Key Vulnerability: The most significant unauthenticated flaw is CVE-2025-61881 in the Java VM component, with a CVSS of 5.9.
- Affected Versions: 19.3-19.28, 21.3-21.19, 23.4-23.9
Oracle Java SE
- Total Patches: 5
- Remote (No Auth): 5 (All patches)
- Highest CVSS: 7.5 (High)
- Key Vulnerabilities: All 5 vulnerabilities are remotely exploitable without authentication. Two carry a 7.5 CVSS score:
- CVE-2025-31257: Affects JavaFX (client-side applications).
- CVE-2025-53066: Affects JAXP (server-side and client-side XML processing).
- Affected Versions: 8u461, 11.0.28, 17.0.16, 21.0.8, 25, and Oracle GraalVM.
For More Information
Waratek Customers should contact [email protected] for more specific information about how the July 2025 Oracle Critical Patch Update may impact your applications.
If you are interested in how Waratek can help patch and protect your applications with no downtime or source code changes, please contact [email protected].
