Oracle patches over 300 vulnerabilities in annual multi-product update

Oracle has released its January 2025 Critical Patch Update that includes fixes for over 300 vulnerabilities affecting many of its products and services.

The most severe vulnerability addressed in the update, which was provided a CVSS score of 9.9, is CVE-2025-21553, a flaw in Oracle’s Agile Product Lifecycle Management (PLM) Framework that, if exploited, could allow a threat actor with low privileges and network access to seize control of the device.

Oracle also addressed nine other critical severity flaws in the update, including CVE-2025-21535 which impacts the Core component of Oracle WebLogic Server.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

This flaw is very similar to another critical vulnerability in Oracle WebLogic Server, designated CVE-2020-2883, which could be exploited by unauthenticated threat actors with network access. In January 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2020-2883 to its Known Exploited Vulnerabilities (KEV) catalog after threat actors were observed actively exploiting the flaw.

Oracle hasn’t stated whether any of the vulnerabilities being addressed have been actively exploited or if proof-of-concept exploit code is publicly available. Regardless, the company is encouraging users of the impacted products to install the patch as soon as possible to mitigate any potential risks the vulnerabilities may pose.

Source: The Hacker News

Analysis

While 300 may seem like an extraordinary number of vulnerabilities, it’s below average for Oracle’s annual January update, which has addressed close to 500 vulnerabilities in previous years. Most of the flaws addressed in these annual updates are low-severity vulnerabilities that are difficult to exploit and, if exploited, result in minimal reward for a threat actor. Therefore, it makes sense that Oracle would opt to deploy these patches as part of a major update, instead of inundating its customers with dozens of small updates.

Fortunately, there doesn’t appear to be an active exploitation of these vulnerabilities so far. However, users must install the patches as soon as possible, especially since CVE-2025-21535 is very similar to CVE-2020-2883, which previously has been exploited.

According to Shodan, there are just over 5,000 instances of Oracle WebLogic Server exposed to the open internet, with most located in the U.S. Should these deployments remain vulnerable to CVE-2025-21535, they would represent a significant attack footprint for threat actors to target for exploitation.

Internet-exposed instances of Oracle WebLogic Server (Source: Shodan.io)

Mitigation

Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for vulnerabilities discovered in software like those offered by Oracle. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these vulnerabilities. Field Effect MDR users are automatically notified if a vulnerable version of Oracle software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect strongly encourages users of the affected Oracle products to update to the latest version as soon as possible, in accordance with Oracle’s advisory.

Related Articles

• Six vulnerabilities found in Rsync file synchronization tool
• SonicWall patches multiple vulnerabilities in SonicOS-based firewalls
• Palo Alto patches vulnerabilities in Expedition migration tool