Urgent CISA Alert: Active Oracle Identity Manager RCE Exploits
â–Ľ Summary
– CISA warns government agencies to patch CVE-2025-61757, a pre-authentication RCE vulnerability in Oracle Identity Manager that has been exploited in attacks.
– The flaw allows attackers to bypass authentication by appending parameters like ?WSDL to URLs and abuse Groovy script compilation to execute malicious code remotely.
– Oracle fixed the vulnerability in its October 2025 security updates, and CISA has mandated federal agencies to patch it by December 12 due to its significant risk.
– Researchers note the vulnerability is easily exploitable, and evidence suggests it may have been used as a zero-day as early as August 30 by a single attacker.
– Exploitation attempts were detected from multiple IP addresses using specific endpoints and a consistent user agent, matching the technical details disclosed by Searchlight Cyber.
A critical security vulnerability within Oracle Identity Manager is now under active exploitation, prompting an urgent directive from federal authorities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated that all federal civilian agencies apply patches immediately to counter this severe threat. Identified as CVE-2025-61757, this flaw allows attackers to execute code remotely on affected systems without needing any login credentials, making it exceptionally dangerous.
Security analysts from Searchlight Cyber uncovered the vulnerability, which arises from a weakness in Oracle Identity Manager’s REST API security filters. By simply adding specific parameters such as `?WSDL` or `;.wadl` to certain web addresses, attackers can bypass authentication entirely. This manipulation tricks the system into treating secured endpoints as if they were open to the public, granting unauthorized entry.
Once inside, intruders can access a Groovy script compilation endpoint. Although this feature normally doesn’t run scripts directly, its annotation-processing capabilities can be misused. Malicious actors leverage this to run arbitrary code during the compilation phase, achieving full remote code execution on the server. Researchers confirmed that chaining these weaknesses together results in complete system compromise before any user authentication occurs.
Oracle addressed the issue in their October 2025 security updates, which became available on October 21. However, a detailed technical report released yesterday by Searchlight Cyber provides a complete breakdown of the vulnerability, including exploitation methods. The researchers noted that compared to previous Oracle Access Manager flaws, this one is relatively straightforward for threat actors to weaponize.
CISA has now officially listed CVE-2025-61757 in its Known Exploited Vulnerabilities catalog. Federal agencies must apply the necessary patches by December 12 to comply with Binding Operational Directive 22-01. The agency emphasized that such vulnerabilities represent common and high-risk attack vectors that threaten federal infrastructure.
While CISA has not disclosed specifics about ongoing attacks, independent analysis suggests exploitation may have begun months before the patch was available. One security expert observed scanning activity targeting the vulnerable endpoints as early as August 30. Multiple connection attempts from distinct IP addresses were recorded, all using an identical browser signature matching Google Chrome 60 on Windows 10.
The endpoints involved in these probes include `/iam/governance/applicationmanagement/templates;.wadl` and `/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl`. These match the exploit pattern detailed by researchers. The consistent user agent across different IPs suggests a coordinated campaign potentially orchestrated by a single threat actor.
Oracle has been approached for comment regarding whether they have observed active exploitation of this vulnerability in the wild. Updates will follow should additional information become available.
(Source: Bleeping Computer)
