Oracle has released its January 2025 Critical Patch Update (CPU), addressing 318 vulnerabilities across its various products and services. Among these, a particularly severe vulnerability has been identified in the Oracle Agile Product Lifecycle Management (PLM) Framework (CVE-2025-21556), which carries a CVSS score of 9.9.
This flaw enables attackers with minimal privileges and network access via HTTP to completely compromise vulnerable Agile PLM Framework systems. The National Institute of Standards and Technology (NIST) has classified the issue as “easily exploitable,” posing a significant threat to organizations utilizing this software.
Notably, Oracle had previously warned of active exploitation attempts targeting another vulnerability in the Agile PLM Framework (CVE-2024-21287, CVSS 7.5), discovered in November 2024. Both vulnerabilities affect Agile PLM Framework version 9.3.6.
Eric Maurice, Oracle’s Vice President of Security, emphasized the urgency of applying the January security update, stating, “Users should immediately install this update, which includes fixes for CVE-2024-21287 and other critical vulnerabilities.”
Among the other vulnerabilities rated 9.8 on the CVSS scale, Oracle has addressed the following:
- CVE-2025-21524: In the Monitoring and Diagnostics SEC component of JD Edwards EnterpriseOne Tools.
- CVE-2023-3961: In the E1 Dev Platform Tech (Samba) component of JD Edwards EnterpriseOne Tools.
- CVE-2024-23807: In the Apache Xerces C++ XML parser within Oracle Agile Engineering Data Management.
- CVE-2023-46604: In the Apache ActiveMQ component of the Communications Diameter Signaling Router.
- CVE-2024-45492: In the XML parser (libexpat) used by Oracle Communications Network Analytics Data Director.
- CVE-2024-56337: In the Apache Tomcat server component of Oracle Communications Policy Management.
- CVE-2025-21535: In the Core component of WebLogic Server.
Particular attention has been drawn to CVE-2025-21535, which resembles CVE-2020-2883 (CVSS 9.8), a vulnerability previously exploited in Oracle WebLogic Server. Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2020-2883 to its Known Exploited Vulnerabilities (KEV) catalog.
Additionally, Oracle has addressed CVE-2024-37371 (CVSS 9.1), a Kerberos 5 vulnerability in Communications Billing and Revenue Management. This flaw could allow attackers to trigger improper memory reads via tokens with invalid field lengths.
As part of the update, Oracle Linux received 285 patches to resolve other critical vulnerabilities. Users are strongly encouraged to apply these updates promptly to minimize the risk of cyberattacks.
