Oracle Communications received the highest number of patches, totaling 85, with 59 vulnerabilities allowing for potential remote code execution, including three rated 9.8.

On January 21, 2025, Oracle released its January Critical Patch Update, which includes 318 new security patches addressing over 180 vulnerabilities that can be exploited remotely without authentication.

This quarterly patch update, released on January 18, 2025, totals 603 patches, comprising 318 for Oracle products and 285 for Linux code.

The update identified approximately 220 unique CVEs, with around 30 patches targeting critical-severity flaws.

While some products received minimal patches, others like JD Edwards received 23 patches, including two rated 9.8, one of which allows complete system takeover.

The importance of these updates is underscored by the ongoing threat landscape, with Oracle urging users to apply the updates promptly to protect against potential security threats.

Among the most critical vulnerabilities addressed is CVE-2025-21556 in the Oracle Agile Product Lifecycle Management Framework, which has a CVSS score of 9.9 and allows low-privileged attackers to compromise the system via HTTP.

Additionally, Oracle's Supply Chain platform received a patch for another critical flaw rated 9.9, along with a 9.8 rated issue in the Engineering Data Management system.

Eric Maurice, VP of Security Assurance at Oracle, emphasized the urgency of applying these patches promptly to mitigate risks from vulnerabilities being actively exploited.

Oracle also issued 39 new security patches for MySQL, fixing four bugs vulnerable to remote, unauthenticated attacks.

Patches were also released for various applications, including 31 for Financial Services, 28 for Communications, and 26 for Analytics, with several vulnerabilities rated above 9.1.

In light of previous warnings about active exploitation attempts against vulnerabilities in the Agile PLM Framework, Oracle is urging customers to take immediate action to secure their systems.