On April 15, Oracle announced the release of 378 new security patches as part of its second Critical Patch Update (CPU) of 2025, including 255 fixes for vulnerabilities that are remotely exploitable without authentication.
SecurityWeek has identified roughly 180 unique CVEs in Oracle’s April 2025 CPU and counted approximately 40 security patches that resolve critical-severity flaws.
Oracle Communications received the largest number of security fixes, at 103, including 82 patches for bugs that can be exploited by remote, unauthenticated attackers.
Over the past year, Oracle rolled out over 470 security patches for Communications, as this is the fifth CPU in a row in which this application suite receives the largest number of fixes.
Next in line is MySQL, which received 43 new security patches (2 for unauthenticated, remotely exploitable flaws), followed by Communications Applications (42 – 35), Financial Services Applications (34 – 22), and Fusion Middleware (31 – 26).
The tech giant also rolled out dozens of security fixes for E-Business Suite (16 new patches – 11 for defects exploitable remotely without authentication), Analytics (15 – 11), Retail Applications (11 – 11), JD Edwards (8 – 5), Construction and Engineering (7 – 6), Database Server (7 – 3), Commerce (6 – 5), and Java SE (6 – 5).
A few patches were released for Enterprise Manager, Support Tools, GoldenGate, Siebel CRM, PeopleSoft, Policy Automation, Food and Beverage Applications, Hospitality Applications, Hyperion, Supply Chain, Virtualization, TimesTen In-Memory Database, Utilities Applications, and Systems.
Autonomous Health Framework, Graph Server and Client, Insurance Applications, Essbase, and Secure Backup received one patch each.
For multiple products, Oracle did not release new security patches, but announced fixes for non-exploitable third-party CVEs. For other products, the fixes address additional CVEs and non-exploitable CVEs.
Oracle customers are advised to apply the patches as soon as possible, as threat actors have been observed exploiting Oracle vulnerabilities for which fixes have been released but not applied.
On Tuesday, the tech giant also published the April 2025 Solaris Third Party Bulletin, which contains 16 new security patches (14 for remotely exploitable, unauthenticated flaws), and the April 2025 Linux Bulletin, which lists 48 fixes for Oracle Linux bugs resolved and announced in the last month and which will be updated for two months to include new CVEs.
Related: Oracle Patches 200 Vulnerabilities With January 2025 CPU
Related: SonicWall Patches High-Severity Vulnerability in NetExtender
Related: Juniper Networks Patches Dozens of Junos Vulnerabilities
Related: Fortinet Patches Critical FortiSwitch Vulnerability