This quarterly security update represents one of the most comprehensive patches in recent history, targeting critical flaws in database systems, middleware, cloud applications, and enterprise software that could potentially expose organizations to severe cyberattacks.
The update affects 34 major product families, with Oracle Communications products receiving the highest number of patches at 112 vulnerabilities, followed by MySQL with 40 patches and Oracle Fusion Middleware components.
Key Takeaways
1. Oracle patched 309 vulnerabilities across 34 products, with 145 remotely exploitable without authentication.
2. Oracle Database and APEX face severe vulnerabilities CVE-2025-30751 (CVSS 8.8) and CVE-2025-50067 (CVSS 9.0), enabling system compromise.
3. Java SE, WebLogic Server, and MySQL received multiple high-severity patches affecting enterprise operations.
4. Apply patches immediately - some vulnerabilities already exploited, with 131 high-severity flaws needing priority attention.
Among the most concerning discoveries are 145 remotely exploitable vulnerabilities that require no authentication, meaning attackers could potentially compromise systems without valid credentials.
Breakdown of Vulnerabilities by Products
| Product Family | Number of Vulnerabilities Patched |
|---|---|
| Oracle Communications Products | 112 |
| MySQL Database | 40 |
| Oracle Fusion Middleware | 31 |
| Oracle Database Server | 25 |
| Oracle Java SE | 11 |
| Oracle Application Express (APEX) | 5 |
| Other Product Families (cumulative) | 85 |
Oracle’s flagship database products face significant security challenges with this update. The most critical database vulnerability, CVE-2025-30751, carries a CVSS score of 8.8 and affects Oracle Database Server versions 19.3-19.27 and 23.4-23.8.
This network-based attack requires only low privileges and no user interaction, potentially granting attackers high-level access to confidentiality, integrity, and availability of database systems.
Oracle Application Express (APEX) users face an even more severe threat with CVE-2025-50067, scoring 9.0 on the CVSS scale.
This vulnerability affects the Strategic Planner Starter App component and could allow attackers to achieve complete system compromise through network-based attacks with minimal user interaction.
The Java ecosystem also receives substantial attention with 11 new security patches for Oracle Java SE.
Critical vulnerabilities like CVE-2025-50059 (CVSS 8.6) and CVE-2025-30749 (CVSS 8.1) affect networking and 2D components across multiple Java versions, including Oracle GraalVM implementations.
These flaws could enable remote code execution in Java applications, particularly those running sandboxed applets or Web Start applications.
Oracle’s enterprise middleware stack faces significant security challenges, with WebLogic Server receiving 8 vulnerability patches, including the severe CVE-2025-30762 affecting T3 and IIOP protocols.
Fusion Middleware components contain multiple Apache Commons BeanUtils vulnerabilities (CVE-2025-48734) scoring 8.8, which could lead to remote code execution in enterprise applications.
The MySQL database ecosystem requires immediate attention with 40 security patches addressing various components from server core functionality to clustering mechanisms.
Notable vulnerabilities include CVE-2025-50076 and CVE-2025-50078 affecting DML operations, and optimizer-related flaws that could cause denial-of-service conditions.
Oracle strongly emphasizes that customers should apply these patches immediately, particularly for systems handling sensitive data or operating in internet-facing environments.
The company notes that some vulnerabilities are already being exploited in the wild, with successful attacks reported against organizations that failed to apply previous security updates.
The next Critical Patch Update is scheduled for October 21, 2025, followed by quarterly releases in January, April, and July 2026.
Organizations should establish systematic patch management processes to address these recurring security challenges, as Oracle continues to discover and remediate vulnerabilities across its vast product ecosystem.
System administrators should prioritize patching based on CVSS scores, with 131 high-severity vulnerabilities (7.0+) requiring immediate attention, particularly those affecting database servers, application servers, and internet-facing components that could serve as entry points for sophisticated cyberattacks.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
The post Oracle Critical Security Update – 309 Vulnerabilities with 145 Remotely Exploitable Patched appeared first on Cyber Security News.
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, has recently observed a surge…
Microsoft has released an out-of-band hotpatch, KB5084897, addressing a critical Bluetooth device visibility issue impacting…
Microsoft has announced the release of an AI-powered troubleshooting capability for Microsoft Purview Data Lifecycle…
Illinois Senate Bill 3104 aims to make it easier for residents, including renters and condominium…
The first trailer for Dune: Part 3 has arrived, and it gives us our best…
Hulu’s hit new show Paradise has officially been renewed for its third season, just under…
This website uses cookies.