Oracle has released its January 2025 Critical Patch Update (CPU), addressing 318 new security vulnerabilities across over 90 products and services within 27 categories. The update includes patches for roughly 200 unique CVEs. The vulnerabilities affect a wide range of Oracle products, including its Communications applications, Construction and Engineering appliances, middleware and servers, and the E-Business Suite. This update is critical for organizations using Oracle products, highlighting the importance of robust vulnerability management and patching procedures.
The severity of the addressed vulnerabilities varies, with some having a CVSS score of 4 to 6 while others are considered critical. The most severe vulnerability, with a CVSS score of 9.9, affects the Oracle Agile Product Lifecycle Management (PLM) Framework, allowing a low-privileged attacker to compromise susceptible instances via HTTP. Oracle is urging customers to apply the Critical Patch Update as soon as possible, as some older Oracle flaws remain unpatched on some networks as evidenced by the US Cybersecurity and Infrastructure Security Agency (CISA) adding an older vulnerability in Oracle WebLogic Server to its Known Exploited Vulnerabilities (KEV) catalog.