Patch Now: CISA Warns of Active Oracle Identity Manager Attack
▼ Summary
– A critical security vulnerability (CVE-2025-61757) in Oracle Identity Manager is being actively exploited, as confirmed by CISA.
– The flaw allows unauthenticated attackers to execute arbitrary code remotely via HTTP on affected Oracle Identity Manager versions.
– It has a critical CVSS severity score of 9.8 and can lead to complete system takeover without requiring prior credentials.
– CISA advises organizations to patch Oracle Identity Governance Suite 12c immediately or isolate affected services from the internet.
– The vulnerability was discovered during an investigation of a 2025 breach that compromised millions of records and thousands of Oracle Cloud tenants.
A critical security alert has been issued for organizations using Oracle Identity Manager, following confirmation that a severe vulnerability is currently being exploited by attackers. The Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities catalog, emphasizing the urgency for immediate defensive action.
Identified as CVE-2025-61757, the vulnerability was first uncovered by researchers at Searchlight Cyber on November 20. Oracle officially acknowledged the security issue the following day, prompting its swift inclusion in the CISA KEV catalog due to confirmed active exploitation in the wild.
The security weakness resides within the REST WebServices component of Oracle Identity Manager, which is a part of Oracle Fusion Middleware. This flaw enables an unauthenticated attacker with simple network access via HTTP to run any code they choose on vulnerable systems. Affected versions include 12.2.1.4.0 and 14.1.2.1.0, and successful exploitation can lead to a complete takeover of the Oracle Identity Manager environment.
Rated with a maximum severity CVSS score of 9.8, the vulnerability is considered critically dangerous. Its high risk stems from the fact that attackers do not need any prior authentication, credentials, or special access to the system to carry out an attack. The combination of a straightforward authentication bypass and a reliable method for remote code execution makes this an attractive target for cybercriminal groups, including ransomware operators and sophisticated advanced persistent threat (APT) actors, some of which may have state sponsorship.
CISA has issued a firm directive, urging all entities operating the Oracle Identity Governance Suite 12c to apply the available security patches without delay. If patching cannot be performed immediately, the agency advises administrators to isolate the vulnerable services from the public internet as a crucial temporary mitigation measure.
The discovery of this vulnerability emerged from an investigation by Searchlight Cyber into a separate security breach earlier in the year that impacted Oracle Cloud’s login service. During that incident, threat actors were seen leveraging a different, older vulnerability tracked as CVE-2021-35587. That previous breach resulted in a significant data compromise, affecting six million individual records and more than 140,000 Oracle Cloud tenant accounts.
(Source: Info Security)
