Oracle is urging customers to apply its January 2025 Critical Patch Update (CPU) to address 318 new security vulnerabilities spanning its products and services.
The most severe of the flaws is a bug in the Oracle Agile Product Lifecycle Management (PLM) Framework (CVE-2025-21556, CVSS score: 9.9) that could allow an attacker to seize control of susceptible instances.
“Easily exploitable vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle Agile PLM Framework,” according to a description of the security hole in the NIST National Vulnerability Database (NVD).
It’s worth noting that Oracle warned of active exploitation attempts against another flaw in the same product (CVE-2024-21287, CVSS score: 7.5) in November 2024. Both vulnerabilities affect Oracle Agile PLM Framework version 9.3.6.
“Customers are strongly advised to apply the January 2025 Critical Patch Update for Oracle Agile PLM Framework as it includes patches for [CVE-2024-21287] as well as additional patches,” Eric Maurice, vice president of Security Assurance at Oracle, said.
Some of the other critical severity flaws, all rated 9.8 on the CVSS score, addressed by Oracle are as follows –
- CVE-2025-21524 – A vulnerability in the Monitoring and Diagnostics SEC component of JD Edwards EnterpriseOne Tools
- CVE-2023-3961 – A vulnerability in the E1 Dev Platform Tech (Samba) component of JD Edwards EnterpriseOne Tools
- CVE-2024-23807 – A vulnerability in the Apache Xerces C++ XML parser component of Oracle Agile Engineering Data Management
- CVE-2023-46604 – A vulnerability in the Apache ActiveMQ component of the Oracle Communications Diameter Signaling Router
- CVE-2024-45492 – A vulnerability in the XML parser (libexpat) component of Oracle Communications Network Analytics Data Director, Financial Services Behavior Detection Platform, Financial Services Trade-Based Anti Money Laundering Enterprise Edition, and HTTP Server
- CVE-2024-56337 – A vulnerability in the Apache Tomcat server component of Oracle Communications Policy Management
- CVE-2025-21535 – A vulnerability in the Core component of Oracle WebLogic Server
- CVE-2016-1000027 – A vulnerability in the Spring Framework component of Oracle BI Publisher
- CVE-2023-29824 – A vulnerability in the Analytics Server (SciPy) component of Oracle Business Intelligence Enterprise Edition
CVE-2025-21535 is also similar to CVE-2020-2883 (CVSS score: 9.8), another critical security vulnerability in Oracle WebLogic Server that could be exploited by an unauthenticated attacker with network access via IIOP or T3.
Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2020-2883 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active in-the-wild exploitation.
Also addressed by Oracle is CVE-2024-37371 (CVSS score: 9.1), a critical Kerberos 5 flaw affecting its Communications Billing and Revenue Management that could permit an attacker to “cause invalid memory reads by sending message tokens with invalid length fields.”
Users are advised to apply the necessary patches to keep their systems up-to-date and avoid potential security risks.
