Oracle October 2025 Critical Patch Update Addresses 170 CVEs
Oracle addresses 170 CVEs in its final quarterly update of 2025 with 374 patches, including 40 critical updates.
Background
On October 21, Oracle released its Critical Patch Update (CPU) for October 2025, the fourth and final quarterly update of the year. This CPU contains fixes for 170 unique CVEs in 374 security updates across 29 Oracle product families. Out of the 374 security updates published this quarter, 10.7% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 46.3%, followed by high severity patches at 39.0%.
This quarter’s update includes 40 critical patches across 12 CVEs.
| Severity | Issues Patched | CVEs |
|---|---|---|
| Critical | 40 | 12 |
| High | 146 | 57 |
| Medium | 173 | 91 |
| Low | 15 | 10 |
| Total | 374 | 170 |
Analysis
This quarter, the Oracle TimesTen In-Memory Database product family contained the highest number of patches at 73, accounting for 19.5% of the total patches, followed by Oracle Spatial Studio at 64 patches, which accounted for 17.1% of the total patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
| Oracle Product Family | Number of Patches | Remote Exploit without Auth |
|---|---|---|
| Oracle TimesTen In-Memory Database | 73 | 47 |
| Oracle Spatial Studio | 64 | 46 |
| Oracle Construction and Engineering | 33 | 29 |
| Oracle E-Business Suite | 20 | 17 |
| Oracle Insurance Applications | 18 | 7 |
| Oracle Java SE | 18 | 7 |
| Oracle JD Edwards | 18 | 14 |
| Oracle Retail Applications | 16 | 3 |
| Oracle Secure Backup | 9 | 2 |
| Oracle Communications Applications | 9 | 6 |
| Oracle Supply Chain | 9 | 0 |
| Oracle Enterprise Manager | 8 | 5 |
| Oracle HealthCare Applications | 8 | 5 |
| Oracle Hyperion | 8 | 6 |
| Oracle MySQL | 8 | 8 |
| Oracle Commerce | 7 | 7 |
| Oracle Health Sciences Applications | 7 | 4 |
| Oracle Database Server | 6 | 2 |
| Oracle GoldenGate | 6 | 2 |
| Oracle Analytics | 5 | 3 |
| Oracle Hospitality Applications | 5 | 5 |
| Oracle Essbase | 4 | 2 |
| Oracle Communications | 3 | 2 |
| Oracle Financial Services Applications | 3 | 1 |
| Oracle Fusion Middleware | 3 | 3 |
| Oracle Siebel CRM | 3 | 2 |
| Oracle Graph Server and Client | 1 | 0 |
| Oracle REST Data Services | 1 | 0 |
| Oracle PeopleSoft | 1 | 1 |
Oracle E-Business Zero-Day Vulnerabilities
As part of its CPU release for October, Oracle noted the publication of two separate out-of-band Security Alerts for its E-Business Suite (EBS) to address two zero-day vulnerabilities, CVE-2025-61882 on October 4, and CVE-2025-61884 on October 11, that were exploited in the wild. For more information about these EBS zero-day vulnerabilities, please refer to our FAQ blog post, CVE-2025-61882: Frequently Asked Questions About Oracle E-Business Suite (EBS) Zero-Day and Associated Vulnerabilities.
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the October 2025 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
- Oracle Critical Patch Update Advisory - October 2025
- Oracle October 2025 Critical Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Research Special Operations
The Research Special Operations (RSO) team serves as Tenable’s Forward Logistics Element in the threat landscape, providing customers with the analyses and contextualized exposure intelligence required to manage risks to critical business assets. With over 150 years of collective expertise, this hand-picked group of world-class security researchers is united with one mission: to cut through the noise and deliver critical intelligence about the most dangerous cyber threats emerging right now. Uniting the missions of the Tenable Security Response, Zero-Day Research, and Decision Science Operations teams, RSO disseminates timely, accurate, and actionable information about the latest threats and exposures.
Related articles
F5 BIG-IP Breach: 44 CVEs That Need Your Attention Now
Partnering with an EDR vendor after a nation-state has already stolen your source code isn’t innovation — it’s a gamble. You don’t build a fire extinguisher while the house is burning. You find every spark before it becomes the next inferno.Key takeaways:F5’s BIG-IP is used to secure everything…
Frequently Asked Questions About The August 2025 F5 Security Incident
Frequently asked questions about the August 2025 security incident at F5 and the release of multiple BIG-IP product patches.
The Human Cost of Cyber Risk: How Exposure Management Can Ease Security Burnout
The true cost of cyber risk is a human one. Siloed tools and disjointed operations aren’t just endangering your business, they’re also taking a real toll on your teams. It’s long past time to take the friction out of cybersecurity with a unified, proactive approach.
- Exposure Management
- Vulnerability Management
Contact our sales team