Oracle Patchday: 374 Software Patches Fix Vulnerabilities

Oracle delivers 374 software patches for its quarterly "Critical Patch Update" (CPU) called Patchday in October. Admins should check if they are using affected products in their networks and install the updates promptly.

On the overview page lists Oracle all affected products and the security vulnerabilities closed with the updates are listed. Security vulnerabilities classified as critical risks should be addressed particularly quickly. These include, for example, Oracle GoldenGate, Oracle Communications and related Applications, Oracle E-Business Suite, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, and Oracle Siebel CRM.

Oracle: Not only critical vulnerabilities require attention

In addition, several products have security leaks that narrowly miss a critical risk classification. Here too, IT managers should act quickly. For example, the popular virtualization software VM Virtualbox has several high-risk vulnerabilities. The now available updates improve these in Virtualbox 7.2.4 and 7.1.14 respectively.

Security vulnerabilities in Oracle products are coveted by cybercriminals. Just last week, Oracle had to fix vulnerabilities in the Oracle E-Business Suite outside of the regular schedule. In addition to the already exploited zero-day vulnerability CVE-2025-61882, which is classified as "critical" with a CVSS score of 9.8, the developers found another one. The vulnerability CVE-2025-61884, a server-side request forgery, has only received a CVSS score of 7.5, risk "high", as its risk classification. However, the US cybersecurity agency CISA has also included it in the "Known Exploited Vulnerabilities" catalog, meaning it is already actively being exploited online. The older vulnerability was also misused for extortion attempts with ransomware.

The next scheduled Oracle Critical Patch Update Day will be on January 20, 2026.

(dmk)