Dealing with Zero-Days of the Oracle and Microsoft Patchdays

Vanessa

Hey everyone, welcome back to “It’s All About Vulnerabilities”! I'm Vanessa, joined—of course—by Alex and Daniel. This time we’re peeling back the layers on some huge enterprise patch updates, starting with Oracle’s October Critical Patch Update. Alex, you've been keeping a close eye on these numbers, right?

Alex

Absolutely, Vanessa. So, Oracle dropped a whopper again—374 patches in total, covering 170 unique CVEs across 29 product families. That already sounds massive but it's worth noting that more than a third of all those patches are just in TimesTen In-Memory Database and Spatial Studio families. And out of 170 CVEs, 40 were rated as critical, representing 12 CVEs specifically flagged for that highest threat level. It’s really, really big.

Daniel

And when you get that concentration of vulnerabilities, especially those that are network-exploitable and don’t require any authentication, well, that’s reason for security teams to go on high alert. These are the sort of flaws that, historically, could be exploited at scale without much effort.

Alex

Back in my early red team days, and I always sound old when I say this, but—patching was a semi-annual event for a lot of enterprise software. Predictable, slow, and honestly, organizations could leave things for a quarter before anyone panicked. Now? Every patch cycle feels like an emergency because of the scale and sheer number of remotely exploitable issues. If you blink, attackers are already ahead.

Vanessa

It's almost like vulnerability management was easier to plan then, but now with this constant sprint, it’s no wonder defenders are exhausted. But what I’m seeing more is not just the volume, but the velocity—out-of-band advisories, short timelines to patch, and a lot more onus on the end-customer to react quickly, even for internal systems.

Daniel

Indeed, Vanessa. And these are genuine business risks. If you’re responsible for infrastructure running Oracle in your company, you simply can’t brush past these updates and wait for the normal maintenance window. It demands a new level of operational agility just to keep up.

Vanessa

And speaking of urgency—Oracle’s E-Business Suite zero-days. That was big news. They had to push out-of-band alerts for two actively exploited zero-days—CVE-2025-61882 and CVE-2025-61884. For anyone running EBS, this was serious.

Daniel

These vulnerabilities allowed remote, unauthenticated attackers to compromise critical business systems. The risk isn’t just data theft, either—complete disruption of financial processes, HR, supply chain… It brings everything grinding to a halt. This is the sort of issue where, if you delay patching, you’re handing over the keys to your business crown jewels.

Alex

Yeah, and let’s not forget—when Oracle’s issuing out-of-band alerts, it means active exploitation is happening in the wild. These aren’t hypothetical risks. If you’re slow, you’re almost inviting attackers in.

Vanessa

Totally. Actually, I did this simulated phishing run last month with a client, you know, just regular social engineering stuff, and it made them realize just how fragile operations are if a core business app, like EBS, is exposed. They had solid anti-phishing policies, but their patch process just didn’t account for zero-days landing outside their regular cycle. That’s...well, let’s just say it was an “eyes wide open” moment for their compliance team too.

Daniel

That’s a strong reminder it’s about more than technical controls; it’s about business continuity and reputation. Organizations are starting to realize that delayed patching isn’t just a compliance risk, it’s a financial and legal one as well.

Alex

I like what you said there, Daniel. Delaying patches in this environment is like refusing to shut your vault when you know someone’s walked in with a crowbar. And with EBS being so deeply integrated into operations, it’s hard to even detect full compromise once attackers get in. Rapid patching isn't an option—it's an imperative.

Alex

Alright, how about Microsoft’s November Patchday? Fewer vulnerabilities this time, just over 60, which… I mean, that’s almost a relief by modern standards. But it’s not really the whole story, right?

Daniel

That’s right. While the number is low, it coincided with simultaneous patch releases from Intel, Mozilla, and Adobe. So realistically, the workload for defenders didn’t really go down. In fact, multiple ecosystems needed patching at once. You could say it was a coordinated headache.

Vanessa

And if you dig into what Microsoft actually patched, you see above-average instances of race conditions. That’s notable because, from a practical perspective, these aren’t your classic buffer overflows. They’re harder to spot and exploit, but when they do get exploited, the consequences just spiral. People kind of sleep on race conditions because they don’t always get the splashy headlines, but attackers know how valuable these are.

Alex

Very true. And, let’s not skip over CVE-2025-62453. That one jumped out at me—not for its severity score, but because it targets improper validation of generative AI output, using CWE-1426. Now, that’s kind of a newer class of risk, and I think we’re just seeing the tip of the iceberg with this. Microsoft’s own patch notes made it pretty clear that these generative AI validation issues, well, we’ll be seeing more of them.

Daniel

That tracks with what VulDB’s CTI Activity Score flagged as well—CVE-2025-60724, a GDI+ heap-based overflow. That’s a vulnerability we expect to see actively exploited by multiple actors soon, if it isn’t already. Heap overflows on graphics libraries—attackers tend to jump on those, especially for privilege escalation or remote code execution in Windows desktop environments.

Vanessa

So, it’s another good reminder: the count going down doesn’t equal a drop in real-world risk. You have to look at the classes of vulnerabilities, potential for chaining, and—frankly—the exploitability. Patch fast, and don’t just focus on the big logo’d bugs.

Daniel

Shall we switch gears and look at the bigger ecosystem? Let’s talk about what’s happening in the CVE program lately. In Q3 2025, there was a pretty modest increase in published CVE records—just 0.32% up—but rejections went down by 14% and disputes… went up by 11%. So, we’re looking at 11,738 CVEs published for the quarter, 13,340 reserved, 152 rejected, and 42 unused—a fair bit of churn in the database.

Alex

And the CVE Program added 23 new CNAs, so now there’s 476 CNA partners spanning 40 countries. Italy even joined in with two new CNAs, which is just nice to see that kind of expansion. More CNAs means faster and often more contextual vulnerability disclosures, provided the process is well managed.

Vanessa

I saw they changed their “CNA Enrichment Recognition List” publication cadence too. Instead of every two weeks, it’s now monthly, based on a six-month data window rather than a year. And from what VulDB has shown, quality’s gone up—fewer rejections, better enrichment, and clear tracking for real impact.

Alex

The Automation Working Group updated the schema—now supporting new PURL capability in version 5.2.0, which sounds a bit niche but it’s huge for software supply chain tracking. They’re prepping for version 6.0.0, which should streamline integration further.

Daniel

All these changes should mean less friction, better data, and—hopefully—a lot less confusion for those of us who rely on CVE data in our daily work. Still, disputes are up, so, I dunno, maybe there’s a bit more turbulence as everyone adapts to the new pace and focus in disclosure.

Vanessa

So, what’s next for vulnerability management, then? It feels like we’re not just reacting to the volume anymore; the nature of threats keeps pushing us to up our game, right?

Alex

Absolutely. The curve is rising, and organizations really need to embrace automated patch management if they want to survive. The sheer volume and cross-product complexity of CVEs means doing this manually is nearly impossible. Automated systems aren’t just a nice-to-have—they’re essential for keeping pace with rapid-fire zero days and those out-of-band updates we keep talking about.

Daniel

And you can’t just automate and hope for the best. Developing proactive threat intelligence—real-time monitoring, collaborating with industry partners, anticipating attack vectors before they strike—these are no longer aspirational. They’re baseline requirements. Zero-days don’t give you time for a meeting, they demand immediate action.

Vanessa

And don’t skip the people side! If you’re not investing in continuous security training and running tabletop or simulation exercises, you’re just hoping your team will “figure it out” in a crisis. That’s not how it works. If you simulate zero-day disclosures, staff can see their blind spots before the real thing happens, and you’ll spot gaps in your process so you can shore them up. Fast reaction is about muscle memory, not panic.

Alex

If there’s one thing tying all this together—from massive patchdays to CVE program tweaks and the ongoing arms race with attackers—it’s that our strategies have to evolve. Leaning on last year’s toolbox just won’t cut it anymore.

Daniel

Alright, that’s a good place to wrap for today. There’ll always be new vulnerabilities, but if you focus on automation, threat intelligence, and training, you’ll be ready for the next zero-day—at least as ready as you can be. Vanessa, Alex, always great to talk shop with you both.

Vanessa

Same here, Daniel. And thanks to everyone listening in—don’t forget, we’ve got more episodes lined up on the latest threat intelligence and how to actually put all of this into practice. Catch you next time!

Alex

Thanks everyone. Keep patching, keep learning—till next time, stay safe out there!