CISA warns that a critical vulnerability in Oracle Identity Manager is being actively exploited. The flaw, CVE-2025-61757, allows remote code execution without authentication and poses an immediate risk to organizations that rely on the platform for identity and access management.
According to The Hacker News, the vulnerability affects both older and newer versions of Oracle Identity Manager and could have significant consequences in many environments, as the product is often deeply integrated into business processes and other applications.
The flaw was discovered by Searchlight Cyber researchers Adam Kues and Shubham Shah. The bypass occurs because a security filter in the REST APIs is not robust enough. By adding parameters such as question mark-WSDL or semicolon-wadl to a URL, the system treats secure endpoints as if they were freely accessible.
This allows access to internal functionality without authentication. The researchers demonstrate that the vulnerability is not only easy to exploit but also widely applicable within different configurations of Oracle Identity Manager.
Attractive vulnerability for criminals
An attacker who enters via the bypass can then access an endpoint used to compile Groovy code. Although it does not normally execute scripts, it can still be used to run code during compilation by exploiting Groovy annotations. This creates an attack path that leads to full remote code execution. This can be done without the victim having to interact at all. Login credentials are also unnecessary. This makes the flaw particularly attractive to cybercriminals and other threat actors.
Oracle fixed the vulnerability in its October 21, 2025, security update. According to BleepingComputer, CISA has now included the bug in its Known Exploited Vulnerabilities catalog. This means that patching is mandatory for US government agencies. These organizations must apply the updates by December 12 at the latest, in accordance with Binding Operational Directive 22-01. CISA emphasizes that vulnerabilities in identity management systems are often used to penetrate broader networks because they play a central role in authentication and authorization.
Observations indicate that the vulnerability has been exploited since late August. Researchers recorded multiple suspicious POST requests to paths matching the exploit chain. The requests had the same user agent, which may indicate a single attacker or an automated scanning platform. Although the full payloads have not been recorded, the timing confirms that zero-day exploitation may have occurred. Oracle has not yet responded to BleepingComputer’s questions regarding any observations of its own systems.