When a vulnerability lands in the identity tier, the blast radius extends far beyond a single host. That is exactly the situation with 𝐂𝐕𝐄-𝟐𝟎𝟐𝟓-𝟔𝟏𝟕𝟓𝟕, a pre-authentication remote code execution flaw in 𝐎𝐫𝐚𝐜𝐥𝐞 𝐈𝐝𝐞𝐧𝐭𝐢𝐭𝐲 𝐌𝐚𝐧𝐚𝐠𝐞𝐫 (𝐎𝐈𝐌). The bug allows an unauthenticated attacker with network access to bypass REST API protections and execute arbitrary code on vulnerable servers. CISA has now added CVE-2025-61757 to its 𝐊𝐧𝐨𝐰𝐧 𝐄𝐱𝐩𝐥𝐨𝐢𝐭𝐞𝐝 𝐕𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐢𝐞𝐬 (𝐊𝐄𝐕) catalog and set a short patch deadline for federal agencies, which signals that exploitation moved from theory into practice.
𝐖𝐡𝐲 𝐂𝐕𝐄-𝟐𝟎𝟐𝟓-𝟔𝟏𝟕𝟓𝟕 𝐦𝐚𝐭𝐭𝐞𝐫𝐬 𝐟𝐨𝐫 𝐭𝐡𝐞 𝐢𝐝𝐞𝐧𝐭𝐢𝐭𝐲 𝐭𝐢𝐞𝐫
Oracle Identity Manager sits in the middle of account lifecycle management, approvals and provisioning flows across many enterprises. When an attacker gains remote code execution on that system before authentication, the compromise goes straight to the control plane that creates and manages identities. Researchers at Searchlight Cyber, who discovered the bug, emphasized that they treated it as a high-leverage identity-tier issue from day one, not just “another Java vulnerability.”
Because OIM often connects to HR systems, directories, cloud apps and privileged-role workflows, a successful exploit can quickly pivot into broad account abuse. Therefore, CVE-2025-61757 does not only represent server access; it represents the potential to create, modify or hijack identities at scale if organizations leave the flaw unpatched.
𝐇𝐨𝐰 𝐭𝐡𝐞 𝐎𝐫𝐚𝐜𝐥𝐞 𝐈𝐝𝐞𝐧𝐭𝐢𝐭𝐲 𝐌𝐚𝐧𝐚𝐠𝐞𝐫 𝐑𝐄𝐒𝐓 𝐀𝐏𝐈 𝐛𝐲𝐩𝐚𝐬𝐬 𝐰𝐨𝐫𝐤𝐬
The core of CVE-2025-61757 lies in how Oracle Identity Manager secures its REST endpoints. A security filter should block unauthenticated requests from reaching sensitive paths. However, researchers found that by appending specific suffixes, such as 𝙬𝙚𝙗 𝙨𝙚𝙧𝙫𝙞𝙘𝙚 descriptors, the filter can be tricked into treating protected endpoints as public.
In particular, adding parameters like 𝙬𝙨𝙙𝙡-style or 𝙬𝙖𝙙𝙡-style suffixes to certain URL paths convinces the filter that the request targets documentation or metadata instead of an active REST handler. Searchlight Cyber’s write-up shows how appending 𝙎𝙀𝙈𝙄𝘾𝙊𝙇𝙊𝙉 𝙬𝙖𝙙𝙡 to specific management URLs gives unauthenticated access where authentication should apply.
Because the bypass logic sits in a central filter, attackers can reuse the same trick across multiple REST paths rather than hunting for one-off misconfigurations.
𝐅𝐫𝐨𝐦 𝐛𝐲𝐩𝐚𝐬𝐬 𝐭𝐨 𝐩𝐫𝐞-𝐚𝐮𝐭𝐡 𝐑𝐂𝐄 𝐯𝐢𝐚 𝐆𝐫𝐨𝐨𝐯𝐲
Once the attacker steps past the REST security filter, the exploit chain reaches a Groovy-based compilation endpoint. Under normal conditions, this endpoint compiles scripts in a controlled way and does not act as a generic execution engine. Nevertheless, the research team showed that Groovy’s annotation-processing features allow compile-time execution of attacker-controlled code.
By sending carefully crafted requests to that Groovy endpoint, an attacker who already bypassed authentication can instruct the server to run arbitrary commands during compilation. As a result, the full chain from crafted URL suffix to RCE runs before any user identity is validated. That property makes CVE-2025-61757 a 𝐩𝐫𝐞-𝐚𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐢𝐨𝐧 RCE with a CVSS score of 9.8, which matches how runZero, Penligent and others describe its impact.
𝐀𝐜𝐭𝐢𝐯𝐞 𝐞𝐱𝐩𝐥𝐨𝐢𝐭𝐚𝐭𝐢𝐨𝐧 𝐬𝐢𝐠𝐧𝐬 𝐚𝐧𝐝 𝐞𝐚𝐫𝐥𝐲 𝐳𝐞𝐫𝐨-𝐝𝐚𝐲 𝐭𝐢𝐦𝐞𝐥𝐢𝐧𝐞
The vulnerability did not stay theoretical for long. Oracle addressed CVE-2025-61757 in its 𝐎𝐜𝐭𝐨𝐛𝐞𝐫 𝟐𝟎𝟐𝟓 𝐂𝐫𝐢𝐭𝐢𝐜𝐚𝐥 𝐏𝐚𝐭𝐜𝐡 𝐔𝐩𝐝𝐚𝐭𝐞, which covered Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 among many other products. Shortly afterward, Searchlight Cyber released a technical article that included enough detail for threat actors to reproduce the exploit.
However, SANS Internet Storm Center data suggests someone may have discovered and weaponized the issue earlier. Their handlers observed repeated requests against Oracle Identity Manager URLs with the telltale 𝙨𝙚𝙢𝙞𝙘𝙤𝙡𝙤𝙣 𝙬𝙖𝙙𝙡 suffix as early as late August and early September, well before Oracle shipped the patch. The traffic came from multiple IP addresses but used the same user agent, which points to one actor scanning broadly rather than random noise.
Those probes targeted endpoints such as
/iam/governance/applicationmanagement/templates;.wadl
/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl
which match the exploit path documented in public research. =
𝐂𝐈𝐒𝐀’𝐬 𝐊𝐄𝐕 𝐜𝐚𝐭𝐚𝐥𝐨𝐠 𝐚𝐧𝐝 𝐭𝐡𝐞 𝐩𝐚𝐭𝐜𝐡 𝐝𝐞𝐚𝐝𝐥𝐢𝐧𝐞
CISA has now added CVE-2025-61757 to its 𝐊𝐧𝐨𝐰𝐧 𝐄𝐱𝐩𝐥𝐨𝐢𝐭𝐞𝐝 𝐕𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐢𝐞𝐬 catalog, which serves as the authoritative list of vulnerabilities with confirmed exploitation in the wild. When a CVE lands in KEV, federal civilian agencies receive a hard deadline to mitigate under Binding Operational Directive 22-01. For CVE-2025-61757, that window runs only a few weeks from listing to required remediation.
Even though the directive formally applies to U.S. Federal Civilian Executive Branch environments, private-sector defenders often treat KEV entries as a priority list as well, because historically these vulnerabilities attract ongoing exploitation across industries.
𝐈𝐝𝐞𝐧𝐭𝐢𝐭𝐲-𝐭𝐢𝐞𝐫 𝐫𝐢𝐬𝐤: 𝐛𝐞𝐲𝐨𝐧𝐝 𝐜𝐨𝐝𝐞 𝐞𝐱𝐞𝐜𝐮𝐭𝐢𝐨𝐧
Technical details aside, the real risk comes from where this remote code execution lands. Oracle Identity Manager does not just live on a random app server; it orchestrates account creation, entitlement assignments and approval flows that span on-prem directories and cloud services. Penligent’s analysis frames CVE-2025-61757 as a “high-leverage identity-tier compromise route,” and that description fits.
If attackers gain code execution on OIM, they can attempt to tamper with provisioning logic, grant themselves accounts in critical systems, interfere with deprovisioning, or harvest credentials and connection details used by the platform. Consequently, defenders should treat this vulnerability on par with serious domain controller or SSO platform bugs, not as a generic middleware issue.
𝐃𝐞𝐭𝐞𝐜𝐭𝐢𝐨𝐧 𝐚𝐧𝐝 𝐡𝐮𝐧𝐭𝐢𝐧𝐠 𝐢𝐝𝐞𝐚𝐬 𝐟𝐨𝐫 𝐂𝐕𝐄-𝟐𝟎𝟐𝟓-𝟔𝟏𝟕𝟓𝟕
Security teams who manage Oracle Identity Manager estates gain visibility by combining several angles. First, they examine web and reverse-proxy logs for REST requests against 𝙞𝙖𝙢 / 𝙜𝙤𝙫𝙚𝙧𝙣𝙖𝙣𝙘𝙚 paths that include suffixes like 𝙨𝙚𝙢𝙞𝙘𝙤𝙡𝙤𝙣 𝙬𝙖𝙙𝙡 or 𝙦𝙪𝙚𝙧𝙮 𝙬𝙨𝙙𝙡, especially when those requests come from unfamiliar IP ranges.
Next, they correlate any such requests with application logs and operating-system telemetry on the OIM servers. Sudden Groovy compilation activity against unusual scripts, unexpected child processes spawned by the application server or anomalous JAR loading behavior all merit investigation. Where organizations collect full-packet data, they look for repeated POST requests to those paths followed by new outbound connections from the same host.
Finally, they align those observations with asset-inventory data. runZero and similar platforms have already published fingerprints to help security teams locate Oracle Identity Manager instances on their networks and estimate exposure before or after exploit attempts.
𝐏𝐚𝐭𝐜𝐡𝐢𝐧𝐠 𝐚𝐧𝐝 𝐡𝐚𝐫𝐝𝐞𝐧𝐢𝐧𝐠 𝐎𝐫𝐚𝐜𝐥𝐞 𝐈𝐝𝐞𝐧𝐭𝐢𝐭𝐲 𝐌𝐚𝐧𝐚𝐠𝐞𝐫
In the short term, organizations that run vulnerable Oracle Identity Manager versions must apply the October 2025 Critical Patch Update that covers CVE-2025-61757. Oracle’s advisory and patch-availability documents list supported Identity Manager releases and direct administrators to the necessary downloads through My Oracle Support.
In parallel, security teams review how OIM’s REST interfaces are exposed. They restrict management endpoints to administrative networks or VPN-only access wherever possible instead of leaving them open on public interfaces. They also consider placing identity-tier admin surfaces behind additional authentication layers, such as reverse proxies that enforce strong upstream auth before requests hit Oracle’s stack.
Longer term, Penligent and SANS both argue that organizations should treat this event as a forcing function to audit identity-plane exposure more broadly: which identity services sit directly on the internet, which rely on brittle filters, which reuse anti-patterns such as path-based exemptions and where security teams lack telemetry around admin functions.
𝐂𝐨𝐧𝐜𝐥𝐮𝐬𝐢𝐨𝐧
CVE-2025-61757 reinforces a theme defenders see repeatedly: attackers gravitate toward identity-tier systems because control there unlocks everything upstream and downstream. A trivial-looking REST filter bypass combined with a Groovy compilation quirk now offers unauthenticated remote code execution against Oracle Identity Manager, and real-world traffic shows that threat actors already probe and exploit that path. When organizations treat OIM and similar platforms as critical infrastructure, aggressively apply Oracle’s October 2025 patches and harden how identity services face the network, they shrink both the current attack window and the next one that will inevitably appear.
𝐅𝐀𝐐𝐬
𝐐𝟏: 𝐖𝐡𝐢𝐜𝐡 𝐎𝐫𝐚𝐜𝐥𝐞 𝐈𝐝𝐞𝐧𝐭𝐢𝐭𝐲 𝐌𝐚𝐧𝐚𝐠𝐞𝐫 𝐯𝐞𝐫𝐬𝐢𝐨𝐧𝐬 𝐚𝐫𝐞 𝐚𝐟𝐟𝐞𝐜𝐭𝐞𝐝 𝐛𝐲 𝐂𝐕𝐄-𝟐𝟎𝟐𝟓-𝟔𝟏𝟕𝟓𝟕?
Public guidance points to Oracle Identity Manager versions in the 12.2.1.4.0 and 14.1.2.1.0 ranges as affected, with fixes delivered in the October 2025 Critical Patch Update. Because Oracle distributes detailed patch matrices through My Oracle Support, customers should consult that documentation to map exact build numbers and confirm whether their deployments require updates.
𝐐𝟐: 𝐃𝐨𝐞𝐬 𝐭𝐡𝐢𝐬 𝐎𝐫𝐚𝐜𝐥𝐞 𝐈𝐝𝐞𝐧𝐭𝐢𝐭𝐲 𝐌𝐚𝐧𝐚𝐠𝐞𝐫 𝐑𝐂𝐄 𝐫𝐞𝐪𝐮𝐢𝐫𝐞 𝐯𝐚𝐥𝐢𝐝 𝐜𝐫𝐞𝐝𝐞𝐧𝐭𝐢𝐚𝐥𝐬?
No. CVE-2025-61757 is explicitly described as a 𝐩𝐫𝐞-𝐚𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐢𝐨𝐧 remote code execution flaw. The exploit path uses REST API filter bypass tricks and a Groovy compilation endpoint before any normal user authentication logic runs. That property explains both the high CVSS score and CISA’s KEV prioritization.
𝐐𝟑: 𝐇𝐨𝐰 𝐝𝐨𝐞𝐬 𝐭𝐡𝐢𝐬 𝐝𝐢𝐟𝐟𝐞𝐫 𝐟𝐫𝐨𝐦 𝐨𝐭𝐡𝐞𝐫 𝐎𝐫𝐚𝐜𝐥𝐞 𝐑𝐂𝐄 𝐜𝐚𝐬𝐞𝐬 𝐢𝐧 𝐂𝐈𝐒𝐀’𝐬 𝐊𝐄𝐕 𝐜𝐚𝐭𝐚𝐥𝐨𝐠?
CISA’s KEV catalog already includes multiple Oracle RCE flaws, such as those in Oracle E-Business Suite and Oracle Access Manager, that also allowed unauthenticated attackers to execute code over HTTP. CVE-2025-61757 stands out because it lives in an identity-management product rather than a general business application, which concentrates risk in the authentication and authorization layer instead of the transactional tier.
𝐐𝟒: 𝐖𝐡𝐚𝐭 𝐢𝐟 𝐩𝐚𝐭𝐜𝐡𝐢𝐧𝐠 𝐎𝐫𝐚𝐜𝐥𝐞 𝐈𝐝𝐞𝐧𝐭𝐢𝐭𝐲 𝐌𝐚𝐧𝐚𝐠𝐞𝐫 𝐢𝐦𝐦𝐞𝐝𝐢𝐚𝐭𝐞𝐥𝐲 𝐢𝐬 𝐧𝐨𝐭 𝐟𝐞𝐚𝐬𝐢𝐛𝐥𝐞?
In that case, organizations still need interim risk reduction. They can restrict network access to OIM REST endpoints to dedicated admin networks or VPNs, place the service behind an authenticated reverse proxy and deploy virtual patches or WAF rules that block suspicious 𝙬𝙖𝙙𝙡 / 𝙬𝙨𝙙𝙡-style patterns on sensitive paths. These steps do not replace the patch, but they reduce exposure while teams test and schedule upgrades. CIS+2runZero+2
