Oracle on Tuesday released 374 new security patches as part of its October 2025 Critical Patch Update (CPU), including over 230 fixes for vulnerabilities that are remotely exploitable without authentication.
There appear to be roughly 260 unique CVEs in Oracle’s October 2025 CPU advisory, including a dozen critical-severity flaws.
The October CPU was rolled out roughly a week after Oracle released patches for an E-Business Suite defect allowing access to sensitive data, and two weeks after the company warned of a zero-day in the product that was exploited by an extortion group.
This month, Oracle Communications received the largest number of security patches, at 73, including 47 for vulnerabilities that can be exploited by remote, unauthenticated attackers.
Oracle rolled out 64 new security patches for Communications Applications, including 46 for remotely exploitable flaws, and 33 new security patches for Financial Services Applications, 29 of which address remotely exploitable, unauthenticated bugs.
The company also announced a large number of new security patches for Fusion Middleware (20 new – 17 for issues that are remotely exploitable without authentication), Retail Applications (18 – 14), MySQL (18 – 7), PeopleSoft (18 – 7), and Systems (16 – 3).
Several products received over half a dozen new security patches each, including E-Business Suite (9 new – 6 remotely exploitable), Commerce (9 – 2), Virtualization (9 – 0), Siebel CRM (8 – 8), JD Edwards (8 – 6), Analytics (8 – 5), Insurance Applications (8 – 5), Construction and Engineering (7 – 7), and Hyperion (7 – 4).
Other Oracle products that received patches this month include Database Server (6 – 2), GoldenGate (6 -2), Java SE (5 – 5), Hospitality Applications (5 – 3), Essbase (4 – 2), HealthCare Applications (3 – 3), Utilities Applications (3 – 2), Enterprise Manager (3 – 2), Health Sciences Applications (3 – 1), Supply Chain (1 – 1), Graph Server and Client (1 – 0), and REST Data Services (1 – 0).
Additional flaws and non-exploitable bugs were resolved in many of these products. For several other products, Oracle did not release new security patches, but patched non-exploitable third-party CVEs in them.
On Tuesday, Oracle also announced five new security patches for the Solaris Operating System, including three for vulnerabilities that are remotely exploitable without authentication.
*the number of unique CVEs has been updated
Related: CISA Confirms Exploitation of Latest Oracle EBS Vulnerability
Related: Oracle Patches 200 Vulnerabilities With July 2025 CPU
Related: ConnectWise Patches Critical Flaw in Automate RMM Tool
Related: Adobe Patches Critical Vulnerability in Connect Collaboration Suite
