Oracle has released its April 2025 Critical Patch Update (CPU), rolling out a major security fix across its software products. The update includes 378 new patches, resolving around 180 unique vulnerabilities. Of these, 255 can be exploited remotely—without needing a username or password.
The company shared the update on April 15, marking its second major security release this year. Oracle Communications received the most attention again, with 103 issues fixed. Worryingly, 82 of those could be exploited by attackers over the internet without authentication. This continues a year-long trend, as Oracle Communications has now received more than 470 patches across the last five CPUs.
Oracle also patched several other key products. MySQL received 43 new security fixes, including two that address serious remote flaws. Communications Applications followed with 42 patches, 35 of which could be exploited without login credentials. Other updated products include:
- Financial Services Applications (34 fixes, 22 remote)
- Fusion Middleware (31 fixes, 26 remote)
- E-Business Suite (16 fixes, 11 remote)
- Analytics (15 fixes, 11 remote)
- Retail Applications (11 fixes, all remote)
Smaller patch sets were issued for JD Edwards, Construction and Engineering, Database Server, Commerce, and Java SE. Each of these received between six and eight fixes. For most of them, over half the issues were classified as remotely exploitable.
Oracle didn’t stop there. The April update also covers many other systems such as Enterprise Manager, Siebel CRM, Policy Automation, Hyperion, and Utilities Applications. Even lesser-known products like Virtualization, TimesTen, and Secure Backup received updates. In total, nearly every major Oracle platform got some form of security attention.
For some tools, Oracle didn’t introduce new security patches but issued updates tied to third-party libraries. These addressed known issues—many of which were not directly exploitable. However, Oracle included them to ensure all bases are covered.
In addition to the main CPU, Oracle released two other important security bulletins. The April 2025 Solaris Third Party Bulletin brings 16 patches, with 14 targeting flaws that allow remote attacks without a password. Meanwhile, the Oracle Linux Bulletin lists 48 new fixes for bugs discovered in the last month. Oracle plans to update that list through June as more CVEs emerge.
Security experts strongly recommend acting fast. In past attacks, cybercriminals exploited Oracle flaws just days after updates went live. Applying these patches quickly is the best way to protect sensitive data, especially for systems exposed to the web.
If you’re using Oracle products—especially those related to communications or financial services—make patching a top priority. Many of these vulnerabilities could allow attackers to take full control of your systems without logging in. The window between patch release and real-world attacks is shrinking, so don’t delay.
