CISA Warns of Actively Exploited Critical Oracle Identity Manager Zero-Day Vulnerability CVE-2025-61757 (CVSS 9.8)

Estimated reading time: 7 minutes

Key Takeaways:

  • CISA warns of active exploitation of Oracle Identity Manager zero-day vulnerability CVE-2025-61757.
  • The vulnerability allows unauthenticated remote code execution.
  • Affected versions are 12.2.1.4.0 and 14.1.2.1.0.
  • Immediate patching is crucial for affected organizations.

Table of Contents:

CVE-2025-61757: Missing Authentication in Oracle Identity Manager

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of a critical zero-day vulnerability in Oracle Identity Manager, identified as CVE-2025-61757 (CVSS score: 9.8). This flaw, a missing authentication for a critical function, enables pre-authenticated remote code execution and impacts Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0.

The vulnerability, CVE-2025-61757, resides within Oracle Fusion Middleware and stems from a missing authentication check. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog due to observed active exploitation. An unauthenticated remote attacker can leverage this vulnerability to gain control of the Identity Manager. Oracle addressed this issue as part of their monthly patch updates released in October.

According to CISA, “Oracle Fusion Middleware contains a missing authentication for a critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager.”

Searchlight Cyber researchers Adam Kues and Shubham Shah discovered the vulnerability. Their analysis indicates that the flaw allows attackers to access API endpoints that can be used to manipulate authentication flows, escalate privileges, and move laterally across an organization’s core systems. This makes it a significant cyber threat.

The root cause of the vulnerability lies in a bypass of a security filter. Attackers can append “?WSDL” or “;.wadl” to any URI, which tricks protected endpoints into being treated as publicly accessible. This bypass is due to a faulty allow-list mechanism that relies on regular expressions or string matching against the request URI.

The Searchlight Cyber researchers explained, “This system is very error-prone, and there are typically ways to trick these filters into thinking we’re accessing an unauthenticated route when we’re not.”

Exploitation involves pairing the authentication bypass with a request to the “/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus” endpoint. This allows remote code execution by sending a specially crafted HTTP POST request. Although the endpoint is intended only for checking the syntax of Groovy code, the researchers found a way to “write a Groovy annotation that executes at compile time, even though the compiled code is not actually run.”

Evidence of Zero-Day Exploitation

Prior to Oracle releasing a patch, Johannes B. Ullrich, the dean of research at the SANS Technology Institute, reported suspicious activity in honeypot logs. Between August 30 and September 9, 2025, there were multiple attempts to access the URL “/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl” via HTTP POST requests.

Ullrich noted, “There are several different IP addresses scanning for it, but they all use the same user agent, which suggests that we may be dealing with a single attacker. Sadly, we did not capture the bodies for these requests, but they were all POST requests. The content-length header indicated a 556-byte payload.”

These attempts suggest that the vulnerability was likely exploited as a zero-day, before a patch was available. The IP addresses involved in these attempts include:

  • 89.238.132[.]76
  • 185.245.82[.]81
  • 138.199.29[.]153

Implications and Mitigation

The active exploitation of CVE-2025-61757 poses a significant risk to organizations using affected versions of Oracle Identity Manager. Successful exploitation can lead to unauthorized access, privilege escalation, and lateral movement within the network. Given the severity of the vulnerability and its active exploitation, immediate patching is crucial. Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the necessary patches by December 12, 2025, to secure their networks. All organizations using the affected versions should prioritize patching as well.

Practical Takeaways:

  • Technical Readers: Immediately apply the Oracle patch for CVE-2025-61757 if you are using affected versions of Oracle Identity Manager (12.2.1.4.0 and 14.1.2.1.0). Review access logs for any suspicious activity targeting the “/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus” endpoint. Implement intrusion detection system (IDS) rules to detect and block attempts to exploit this vulnerability. Ensure web application firewalls (WAFs) are configured to prevent URI manipulation attacks.
  • Non-Technical Readers: Verify that your organization is using a supported version of Oracle Identity Manager. Contact your IT department to confirm that the necessary patches for CVE-2025-61757 have been applied. Understand the potential impact of this vulnerability on your organization’s systems and data. Ensure that incident response plans are up-to-date and include procedures for handling potential exploitation of this vulnerability.

This event underscores the critical importance of real-time ransomware intelligence, breach detection, and proactive supply-chain risk monitoring. The rapid exploitation of vulnerabilities necessitates the use of a cyber threat intelligence platform to stay ahead of emerging threats. Implementing a dark web monitoring service, telegram threat monitoring, and underground forum intelligence can provide early warnings of potential exploits. Brand leak alerting can also help detect unauthorized access to sensitive information.

PurpleOps and Vulnerability Management

PurpleOps provides a comprehensive suite of services designed to help organizations manage and mitigate cyber threats, including vulnerability exploitation. Our services include:

  • Cyber Threat Intelligence: PurpleOps provides actionable threat intelligence to help organizations stay ahead of emerging threats. Our platform aggregates data from various sources, including the dark web, underground forums, and real-time threat feeds, to provide a comprehensive view of the threat landscape.
  • Breach Detection: PurpleOps’s breach detection services help organizations identify and respond to security incidents quickly and effectively. Our platform uses advanced analytics and machine learning to detect suspicious activity and alert security teams to potential breaches.
  • Supply-Chain Risk Monitoring: PurpleOps helps organizations assess and manage the security risks associated with their supply chain. Our platform provides visibility into the security posture of third-party vendors and helps organizations identify and mitigate potential vulnerabilities.
  • Dark Web Monitoring: We proactively scan the dark web to find compromised credentials, exposed data, and other potential threats to your organization.
  • Underground Forum Intelligence: PurpleOps monitors underground forums and other online communities to identify emerging threats and vulnerabilities.
  • Real-Time Ransomware Intelligence: By using our live ransomware API, our clients can stay on top of the latest threats.

By leveraging PurpleOps’s expertise and services, organizations can improve their security posture and reduce their risk of becoming a victim of cyber attacks. We also offer services such as Red Team Operations and that can help find vulnerabilities before threat actors do.

To learn more about how PurpleOps can help your organization protect itself from cyber threats, visit PurpleOps Solutions or contact us for more information.

FAQ

Q: What is CVE-2025-61757?

A: CVE-2025-61757 is a critical zero-day vulnerability in Oracle Identity Manager that allows unauthenticated remote code execution.

Q: Which versions of Oracle Identity Manager are affected?

A: Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 are affected.

Q: How can I mitigate this vulnerability?

A: Apply the Oracle patch for CVE-2025-61757 immediately. Also, review access logs for suspicious activity and implement intrusion detection system (IDS) rules.

Q: What is the CVSS score for CVE-2025-61757?

A: The CVSS score for CVE-2025-61757 is 9.8, indicating a critical severity.