December 27, 2025
Headlines
Home ยป Oracle Identity Manager CVE-2025-61757 RCE: Deadline and Risk

Oracle Identity Manager CVE-2025-61757 RCE: Deadline and Risk

yohanmanuja08 mins
Custom illustration showing Oracle Identity Manager servers at the center of an enterprise identity map, with CVE-2025-61757 highlighted as an active remote code execution path. Custom image depicting CVE-2025-61757, a pre-auth RCE in Oracle Identity Managerโ€™s REST APIs that CISA now lists as actively exploited.

When a vulnerability lands in the identity tier, the blast radius extends far beyond a single host. That is exactly the situation with ๐‚๐•๐„-๐Ÿ๐ŸŽ๐Ÿ๐Ÿ“-๐Ÿ”๐Ÿ๐Ÿ•๐Ÿ“๐Ÿ•, a pre-authentication remote code execution flaw in ๐Ž๐ซ๐š๐œ๐ฅ๐ž ๐ˆ๐๐ž๐ง๐ญ๐ข๐ญ๐ฒ ๐Œ๐š๐ง๐š๐ ๐ž๐ซ (๐Ž๐ˆ๐Œ). The bug allows an unauthenticated attacker with network access to bypass REST API protections and execute arbitrary code on vulnerable servers. CISA has now added CVE-2025-61757 to its ๐Š๐ง๐จ๐ฐ๐ง ๐„๐ฑ๐ฉ๐ฅ๐จ๐ข๐ญ๐ž๐ ๐•๐ฎ๐ฅ๐ง๐ž๐ซ๐š๐›๐ข๐ฅ๐ข๐ญ๐ข๐ž๐ฌ (๐Š๐„๐•) catalog and set a short patch deadline for federal agencies, which signals that exploitation moved from theory into practice.

๐–๐ก๐ฒ ๐‚๐•๐„-๐Ÿ๐ŸŽ๐Ÿ๐Ÿ“-๐Ÿ”๐Ÿ๐Ÿ•๐Ÿ“๐Ÿ• ๐ฆ๐š๐ญ๐ญ๐ž๐ซ๐ฌ ๐Ÿ๐จ๐ซ ๐ญ๐ก๐ž ๐ข๐๐ž๐ง๐ญ๐ข๐ญ๐ฒ ๐ญ๐ข๐ž๐ซ

Oracle Identity Manager sits in the middle of account lifecycle management, approvals and provisioning flows across many enterprises. When an attacker gains remote code execution on that system before authentication, the compromise goes straight to the control plane that creates and manages identities. Researchers at Searchlight Cyber, who discovered the bug, emphasized that they treated it as a high-leverage identity-tier issue from day one, not just โ€œanother Java vulnerability.โ€ย 

Because OIM often connects to HR systems, directories, cloud apps and privileged-role workflows, a successful exploit can quickly pivot into broad account abuse. Therefore, CVE-2025-61757 does not only represent server access; it represents the potential to create, modify or hijack identities at scale if organizations leave the flaw unpatched.

๐‡๐จ๐ฐ ๐ญ๐ก๐ž ๐Ž๐ซ๐š๐œ๐ฅ๐ž ๐ˆ๐๐ž๐ง๐ญ๐ข๐ญ๐ฒ ๐Œ๐š๐ง๐š๐ ๐ž๐ซ ๐‘๐„๐’๐“ ๐€๐๐ˆ ๐›๐ฒ๐ฉ๐š๐ฌ๐ฌ ๐ฐ๐จ๐ซ๐ค๐ฌ

The core of CVE-2025-61757 lies in how Oracle Identity Manager secures its REST endpoints. A security filter should block unauthenticated requests from reaching sensitive paths. However, researchers found that by appending specific suffixes, such as ๐™ฌ๐™š๐™— ๐™จ๐™š๐™ง๐™ซ๐™ž๐™˜๐™š descriptors, the filter can be tricked into treating protected endpoints as public.

In particular, adding parameters like ๐™ฌ๐™จ๐™™๐™ก-style or ๐™ฌ๐™–๐™™๐™ก-style suffixes to certain URL paths convinces the filter that the request targets documentation or metadata instead of an active REST handler. Searchlight Cyberโ€™s write-up shows how appending ๐™Ž๐™€๐™ˆ๐™„๐˜พ๐™Š๐™‡๐™Š๐™‰ ๐™ฌ๐™–๐™™๐™ก to specific management URLs gives unauthenticated access where authentication should apply.ย 

Because the bypass logic sits in a central filter, attackers can reuse the same trick across multiple REST paths rather than hunting for one-off misconfigurations.

๐…๐ซ๐จ๐ฆ ๐›๐ฒ๐ฉ๐š๐ฌ๐ฌ ๐ญ๐จ ๐ฉ๐ซ๐ž-๐š๐ฎ๐ญ๐ก ๐‘๐‚๐„ ๐ฏ๐ข๐š ๐†๐ซ๐จ๐จ๐ฏ๐ฒ

Once the attacker steps past the REST security filter, the exploit chain reaches a Groovy-based compilation endpoint. Under normal conditions, this endpoint compiles scripts in a controlled way and does not act as a generic execution engine. Nevertheless, the research team showed that Groovyโ€™s annotation-processing features allow compile-time execution of attacker-controlled code.ย 

By sending carefully crafted requests to that Groovy endpoint, an attacker who already bypassed authentication can instruct the server to run arbitrary commands during compilation. As a result, the full chain from crafted URL suffix to RCE runs before any user identity is validated. That property makes CVE-2025-61757 a ๐ฉ๐ซ๐ž-๐š๐ฎ๐ญ๐ก๐ž๐ง๐ญ๐ข๐œ๐š๐ญ๐ข๐จ๐ง RCE with a CVSS score of 9.8, which matches how runZero, Penligent and others describe its impact.ย 

๐€๐œ๐ญ๐ข๐ฏ๐ž ๐ž๐ฑ๐ฉ๐ฅ๐จ๐ข๐ญ๐š๐ญ๐ข๐จ๐ง ๐ฌ๐ข๐ ๐ง๐ฌ ๐š๐ง๐ ๐ž๐š๐ซ๐ฅ๐ฒ ๐ณ๐ž๐ซ๐จ-๐๐š๐ฒ ๐ญ๐ข๐ฆ๐ž๐ฅ๐ข๐ง๐ž

The vulnerability did not stay theoretical for long. Oracle addressed CVE-2025-61757 in its ๐Ž๐œ๐ญ๐จ๐›๐ž๐ซ ๐Ÿ๐ŸŽ๐Ÿ๐Ÿ“ ๐‚๐ซ๐ข๐ญ๐ข๐œ๐š๐ฅ ๐๐š๐ญ๐œ๐ก ๐”๐ฉ๐๐š๐ญ๐ž, which covered Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 among many other products. Shortly afterward, Searchlight Cyber released a technical article that included enough detail for threat actors to reproduce the exploit.

However, SANS Internet Storm Center data suggests someone may have discovered and weaponized the issue earlier. Their handlers observed repeated requests against Oracle Identity Manager URLs with the telltale ๐™จ๐™š๐™ข๐™ž๐™˜๐™ค๐™ก๐™ค๐™ฃ ๐™ฌ๐™–๐™™๐™ก suffix as early as late August and early September, well before Oracle shipped the patch. The traffic came from multiple IP addresses but used the same user agent, which points to one actor scanning broadly rather than random noise.

Those probes targeted endpoints such as

/iam/governance/applicationmanagement/templates;.wadl
/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl

which match the exploit path documented in public research. =

๐‚๐ˆ๐’๐€โ€™๐ฌ ๐Š๐„๐• ๐œ๐š๐ญ๐š๐ฅ๐จ๐  ๐š๐ง๐ ๐ญ๐ก๐ž ๐ฉ๐š๐ญ๐œ๐ก ๐๐ž๐š๐๐ฅ๐ข๐ง๐ž

CISA has now added CVE-2025-61757 to its ๐Š๐ง๐จ๐ฐ๐ง ๐„๐ฑ๐ฉ๐ฅ๐จ๐ข๐ญ๐ž๐ ๐•๐ฎ๐ฅ๐ง๐ž๐ซ๐š๐›๐ข๐ฅ๐ข๐ญ๐ข๐ž๐ฌ catalog, which serves as the authoritative list of vulnerabilities with confirmed exploitation in the wild. When a CVE lands in KEV, federal civilian agencies receive a hard deadline to mitigate under Binding Operational Directive 22-01. For CVE-2025-61757, that window runs only a few weeks from listing to required remediation.ย 

Even though the directive formally applies to U.S. Federal Civilian Executive Branch environments, private-sector defenders often treat KEV entries as a priority list as well, because historically these vulnerabilities attract ongoing exploitation across industries.

๐ˆ๐๐ž๐ง๐ญ๐ข๐ญ๐ฒ-๐ญ๐ข๐ž๐ซ ๐ซ๐ข๐ฌ๐ค: ๐›๐ž๐ฒ๐จ๐ง๐ ๐œ๐จ๐๐ž ๐ž๐ฑ๐ž๐œ๐ฎ๐ญ๐ข๐จ๐ง

Technical details aside, the real risk comes from where this remote code execution lands. Oracle Identity Manager does not just live on a random app server; it orchestrates account creation, entitlement assignments and approval flows that span on-prem directories and cloud services. Penligentโ€™s analysis frames CVE-2025-61757 as a โ€œhigh-leverage identity-tier compromise route,โ€ and that description fits.

If attackers gain code execution on OIM, they can attempt to tamper with provisioning logic, grant themselves accounts in critical systems, interfere with deprovisioning, or harvest credentials and connection details used by the platform. Consequently, defenders should treat this vulnerability on par with serious domain controller or SSO platform bugs, not as a generic middleware issue.

๐ƒ๐ž๐ญ๐ž๐œ๐ญ๐ข๐จ๐ง ๐š๐ง๐ ๐ก๐ฎ๐ง๐ญ๐ข๐ง๐  ๐ข๐๐ž๐š๐ฌ ๐Ÿ๐จ๐ซ ๐‚๐•๐„-๐Ÿ๐ŸŽ๐Ÿ๐Ÿ“-๐Ÿ”๐Ÿ๐Ÿ•๐Ÿ“๐Ÿ•

Security teams who manage Oracle Identity Manager estates gain visibility by combining several angles. First, they examine web and reverse-proxy logs for REST requests against ๐™ž๐™–๐™ข / ๐™œ๐™ค๐™ซ๐™š๐™ง๐™ฃ๐™–๐™ฃ๐™˜๐™š paths that include suffixes like ๐™จ๐™š๐™ข๐™ž๐™˜๐™ค๐™ก๐™ค๐™ฃ ๐™ฌ๐™–๐™™๐™ก or ๐™ฆ๐™ช๐™š๐™ง๐™ฎ ๐™ฌ๐™จ๐™™๐™ก, especially when those requests come from unfamiliar IP ranges.ย 

Next, they correlate any such requests with application logs and operating-system telemetry on the OIM servers. Sudden Groovy compilation activity against unusual scripts, unexpected child processes spawned by the application server or anomalous JAR loading behavior all merit investigation. Where organizations collect full-packet data, they look for repeated POST requests to those paths followed by new outbound connections from the same host.

Finally, they align those observations with asset-inventory data. runZero and similar platforms have already published fingerprints to help security teams locate Oracle Identity Manager instances on their networks and estimate exposure before or after exploit attempts.ย 

๐๐š๐ญ๐œ๐ก๐ข๐ง๐  ๐š๐ง๐ ๐ก๐š๐ซ๐๐ž๐ง๐ข๐ง๐  ๐Ž๐ซ๐š๐œ๐ฅ๐ž ๐ˆ๐๐ž๐ง๐ญ๐ข๐ญ๐ฒ ๐Œ๐š๐ง๐š๐ ๐ž๐ซ

In the short term, organizations that run vulnerable Oracle Identity Manager versions must apply the October 2025 Critical Patch Update that covers CVE-2025-61757. Oracleโ€™s advisory and patch-availability documents list supported Identity Manager releases and direct administrators to the necessary downloads through My Oracle Support.

In parallel, security teams review how OIMโ€™s REST interfaces are exposed. They restrict management endpoints to administrative networks or VPN-only access wherever possible instead of leaving them open on public interfaces. They also consider placing identity-tier admin surfaces behind additional authentication layers, such as reverse proxies that enforce strong upstream auth before requests hit Oracleโ€™s stack.

Longer term, Penligent and SANS both argue that organizations should treat this event as a forcing function to audit identity-plane exposure more broadly: which identity services sit directly on the internet, which rely on brittle filters, which reuse anti-patterns such as path-based exemptions and where security teams lack telemetry around admin functions.

๐‚๐จ๐ง๐œ๐ฅ๐ฎ๐ฌ๐ข๐จ๐ง

CVE-2025-61757 reinforces a theme defenders see repeatedly: attackers gravitate toward identity-tier systems because control there unlocks everything upstream and downstream. A trivial-looking REST filter bypass combined with a Groovy compilation quirk now offers unauthenticated remote code execution against Oracle Identity Manager, and real-world traffic shows that threat actors already probe and exploit that path. When organizations treat OIM and similar platforms as critical infrastructure, aggressively apply Oracleโ€™s October 2025 patches and harden how identity services face the network, they shrink both the current attack window and the next one that will inevitably appear.

๐…๐€๐๐ฌ

๐๐Ÿ: ๐–๐ก๐ข๐œ๐ก ๐Ž๐ซ๐š๐œ๐ฅ๐ž ๐ˆ๐๐ž๐ง๐ญ๐ข๐ญ๐ฒ ๐Œ๐š๐ง๐š๐ ๐ž๐ซ ๐ฏ๐ž๐ซ๐ฌ๐ข๐จ๐ง๐ฌ ๐š๐ซ๐ž ๐š๐Ÿ๐Ÿ๐ž๐œ๐ญ๐ž๐ ๐›๐ฒ ๐‚๐•๐„-๐Ÿ๐ŸŽ๐Ÿ๐Ÿ“-๐Ÿ”๐Ÿ๐Ÿ•๐Ÿ“๐Ÿ•?

Public guidance points to Oracle Identity Manager versions in the 12.2.1.4.0 and 14.1.2.1.0 ranges as affected, with fixes delivered in the October 2025 Critical Patch Update. Because Oracle distributes detailed patch matrices through My Oracle Support, customers should consult that documentation to map exact build numbers and confirm whether their deployments require updates.ย 

๐๐Ÿ: ๐ƒ๐จ๐ž๐ฌ ๐ญ๐ก๐ข๐ฌ ๐Ž๐ซ๐š๐œ๐ฅ๐ž ๐ˆ๐๐ž๐ง๐ญ๐ข๐ญ๐ฒ ๐Œ๐š๐ง๐š๐ ๐ž๐ซ ๐‘๐‚๐„ ๐ซ๐ž๐ช๐ฎ๐ข๐ซ๐ž ๐ฏ๐š๐ฅ๐ข๐ ๐œ๐ซ๐ž๐๐ž๐ง๐ญ๐ข๐š๐ฅ๐ฌ?

No. CVE-2025-61757 is explicitly described as a ๐ฉ๐ซ๐ž-๐š๐ฎ๐ญ๐ก๐ž๐ง๐ญ๐ข๐œ๐š๐ญ๐ข๐จ๐ง remote code execution flaw. The exploit path uses REST API filter bypass tricks and a Groovy compilation endpoint before any normal user authentication logic runs. That property explains both the high CVSS score and CISAโ€™s KEV prioritization.

๐๐Ÿ‘: ๐‡๐จ๐ฐ ๐๐จ๐ž๐ฌ ๐ญ๐ก๐ข๐ฌ ๐๐ข๐Ÿ๐Ÿ๐ž๐ซ ๐Ÿ๐ซ๐จ๐ฆ ๐จ๐ญ๐ก๐ž๐ซ ๐Ž๐ซ๐š๐œ๐ฅ๐ž ๐‘๐‚๐„ ๐œ๐š๐ฌ๐ž๐ฌ ๐ข๐ง ๐‚๐ˆ๐’๐€โ€™๐ฌ ๐Š๐„๐• ๐œ๐š๐ญ๐š๐ฅ๐จ๐ ?

CISAโ€™s KEV catalog already includes multiple Oracle RCE flaws, such as those in Oracle E-Business Suite and Oracle Access Manager, that also allowed unauthenticated attackers to execute code over HTTP.ย CVE-2025-61757 stands out because it lives in an identity-management product rather than a general business application, which concentrates risk in the authentication and authorization layer instead of the transactional tier.

๐๐Ÿ’: ๐–๐ก๐š๐ญ ๐ข๐Ÿ ๐ฉ๐š๐ญ๐œ๐ก๐ข๐ง๐  ๐Ž๐ซ๐š๐œ๐ฅ๐ž ๐ˆ๐๐ž๐ง๐ญ๐ข๐ญ๐ฒ ๐Œ๐š๐ง๐š๐ ๐ž๐ซ ๐ข๐ฆ๐ฆ๐ž๐๐ข๐š๐ญ๐ž๐ฅ๐ฒ ๐ข๐ฌ ๐ง๐จ๐ญ ๐Ÿ๐ž๐š๐ฌ๐ข๐›๐ฅ๐ž?

In that case, organizations still need interim risk reduction. They can restrict network access to OIM REST endpoints to dedicated admin networks or VPNs, place the service behind an authenticated reverse proxy and deploy virtual patches or WAF rules that block suspicious ๐™ฌ๐™–๐™™๐™ก / ๐™ฌ๐™จ๐™™๐™ก-style patterns on sensitive paths. These steps do not replace the patch, but they reduce exposure while teams test and schedule upgrades. CIS+2runZero+2

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News