Oracle has released 309 new security patches as part of its July 2025 Critical Patch Update (CPU), including 127 fixes for vulnerabilities that are remotely exploitable without authentication.
SecurityWeek has identified roughly 200 unique CVEs in Oracle’s July 2025 CPU and counted nine patches that address critical-severity flaws.
The same as in April, Oracle Communications received the largest number of security fixes. This month, Oracle released 84 patches for it, including 50 that resolve defects exploitable remotely without authentication. While none of these issues has a critical severity rating, 51 are high severity.
Oracle has been busy addressing a hefty number of bugs in MySQL (40 security patches, including 3 for remotely exploitable, unauthenticated flaws), Fusion Middleware (36 – 22), and Communications Applications (29 – 1) too.
Financial Services Applications received 18 security patches (13 for remotely exploitable, unauthenticated vulnerabilities), Java SE received 11 (10), Retail Applications 11 (8), E-Business Suite 9 (3) and Supply Chain 8 (all exploitable remotely, without authentication).
Oracle released a smaller number of patches for PeopleSoft (7 – 3 for bugs exploitable by remote, unauthenticated attackers), Virtualization (7 – 0), Siebel CRM (6 – 5), Utilities Applications (6 – 5), Database Server (6 – 0), GoldenGate (5 – 2), Analytics (5 – 2), Hyperion (4 – 1), HealthCare Applications (3 – 2), Insurance Applications (3 – 2), Construction and Engineering (2 – 0), and JD Edwards (2 – 0).
Application Express, Blockchain Platform, NoSQL Database, REST Data Services, Commerce, Enterprise Manager, and Hospitality Applications received one patch each.
Oracle’s advisory notes that, while multiple products did not receive security patches, they did receive fixes for non-exploitable third-party CVEs. For other products, the security updates address additional flaws and non-exploitable CVEs.
Customers should apply the patches as soon as possible, as threat actors are known to have exploited Oracle vulnerabilities for which fixes have been released but not applied.
On Tuesday, Oracle announced the release of 20 new security patches as part of its July 2025 Solaris Third Party Bulletin, including 12 for flaws that are remotely exploitable without authentication.
Related: Oracle Patches 180 Vulnerabilities With April 2025 CPU
Related: CISA Issues Guidance After Oracle Cloud Hack
Related: CISA Warns of Attacks Exploiting Oracle Agile PLM Vulnerability
Related: Oracle Patches 200 Vulnerabilities With January 2025 CPU
