Oracle July 2025 Critical Patch Update Addresses 165 CVEs
Oracle addresses 165 CVEs in its third quarterly update of 2025 with 309 patches, including nine critical updates.
Background
On July 15, Oracle released its Critical Patch Update (CPU) for July 2025, the third quarterly update of the year. This CPU contains fixes for 165 unique CVEs in 309 security updates across 28 Oracle product families. Out of the 309 security updates published this quarter, 2.9% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 46.6%, followed by medium severity patches at 43.7%.
This quarter’s update includes nine critical patches across five CVEs.
| Severity | Issues Patched | CVEs |
|---|---|---|
| Critical | 9 | 5 |
| High | 144 | 59 |
| Medium | 135 | 91 |
| Low | 21 | 10 |
| Total | 309 | 165 |
Analysis
This quarter, the Oracle REST Data Services product family contained the highest number of patches at 84, accounting for 27.2% of the total patches, followed by Oracle Hospitality Applications at 40 patches, which accounted for 12.9% of the total patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
| Oracle Product Family | Number of Patches | Remote Exploit without Auth |
|---|---|---|
| Oracle REST Data Services | 84 | 50 |
| Oracle Hospitality Applications | 40 | 3 |
| Oracle Communications | 36 | 22 |
| Oracle NoSQL Database | 29 | 1 |
| Oracle Communications Applications | 18 | 13 |
| Oracle Analytics | 11 | 10 |
| Oracle Insurance Applications | 11 | 8 |
| Oracle TimesTen In-Memory Database | 9 | 3 |
| Oracle JD Edwards | 8 | 8 |
| Oracle Hyperion | 7 | 3 |
| Oracle PeopleSoft | 7 | 0 |
| Oracle Database Server | 6 | 0 |
| Oracle Java SE | 6 | 5 |
| Oracle MySQL | 6 | 5 |
| Oracle Blockchain Platform | 5 | 2 |
| Oracle Construction and Engineering | 5 | 2 |
| Oracle Financial Services Applications | 4 | 1 |
| Oracle E-Business Suite | 3 | 2 |
| Oracle Fusion Middleware | 3 | 2 |
| Oracle Spatial Studio | 2 | 0 |
| Oracle HealthCare Applications | 2 | 0 |
| Oracle Application Express | 1 | 0 |
| Oracle Autonomous Health Framework | 1 | 1 |
| Oracle Essbase | 1 | 1 |
| Oracle GoldenGate | 1 | 1 |
| Oracle Graph Server and Client | 1 | 1 |
| Oracle Commerce | 1 | 0 |
| Oracle Enterprise Manager | 1 | 1 |
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the July 2025 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
- Oracle Critical Patch Update Advisory - July 2025
- Oracle July 2025 Critical Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Research Special Operations
The Research Special Operations (RSO) team serves as Tenable’s Forward Logistics Element in the threat landscape, providing customers with the analyses and contextualized exposure intelligence required to manage risks to critical business assets. With over 150 years of collective expertise, this hand-picked group of world-class security researchers is united with one mission: to cut through the noise and deliver critical intelligence about the most dangerous cyber threats emerging right now. Uniting the missions of the Tenable Security Response, Zero-Day Research, and Decision Science Operations teams, RSO disseminates timely, accurate, and actionable information about the latest threats and exposures.
Related articles
Understanding and Managing Cyber Risk: An Exposure Management FAQ for Business Leaders
Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, we answer some questions we’ve gotten recently the best way to determine, understand and communicate your risks....
How Tenable Research Discovered a Critical Remote Code Execution Vulnerability on Anthropic MCP Inspector
Tenable Research recently discovered a critical vulnerability impacting Anthropic's MCP Inspector tool, a core element of the MCP ecosystem. In this blog, we provide details on how we discovered the vulnerability in this widely used open-source tool — and what users can do about it.....
AI Security: Web Flaws Resurface in Rush to Use MCP Servers
In the rush to implement AI tools and services, developers are rapidly embracing the Model Context Protocol (MCP). In the process, classic vulnerabilities are resurfacing and new ones are being introduced. In this blog, we outline key areas of concern and how Tenable Web App Scanning can help....
- Exposure Management
- Vulnerability Management
- Exposure Management
- Vulnerability Management