Oracle has released its new quarterly security update, the October 2025 Critical Patch Update , which addresses 374 vulnerabilities identified in numerous Oracle products. This is one of the largest patches in recent years, with fixes spanning databases, middleware, enterprise applications, and communications systems.
As always, Oracle recommends that customers apply patches without delay, as many of the fixed vulnerabilities can be exploited remotely, even without authentication. This makes the update particularly urgent for all organizations using Oracle infrastructure in critical environments.
The October bulletin covers a long list of products, including:
In several cases, the fixed vulnerabilities are considered critical , as they allow an attacker to remotely execute code without valid credentials . This type of flaw represents one of the most dangerous threats to exposed network infrastructure.
Vulnerabilities were assessed according to CVSS version 3.1 , which takes into account the impact on system confidentiality, integrity, and availability. In some cases, the score reaches the highest levels of the scale, indicating the possibility of complete compromise of a service if not updated.
Oracle emphasizes that some vulnerabilities can also affect “client-only” installations, such as modules that connect to vulnerable servers. This means that even workstations that don’t host a database or core service could be exposed.
Serious vulnerabilities have been released on the Oracle Marketing product of Oracle E-Business Suite and they are: CVE-2025-62481, CVE-2025-10916, CVE-2025-53072 and CVE-2025-53037 all with a score of 9.8.
The company encourages all customers to immediately install patches on all still-supported versions, including those in Extended Support. Those using versions no longer covered by security updates are encouraged to plan a migration to supported releases as soon as possible.
While waiting for the patches to be fully applied, Oracle suggests some temporary mitigation measures , such as limiting access to affected network ports, reducing user privileges, and blocking non-essential modules. However, the company emphasizes that these countermeasures are not a substitute for updating and can only partially reduce the risk.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
