The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added an Oracle Identity Manager vulnerability to its Known Exploited Vulnerabilities database after the SANS Internet Storm Center reported attack attempts on the flaw.
CVE-2025-61757 is a 9.8-severity Missing Authentication for Critical Function vulnerability in the Identity Manager product of Oracle Fusion Middleware that was patched as part of Oracle’s October update and detailed in a blog post last week by Searchlight Cyber, which had discovered the vulnerability and reported it to Oracle.
Following the Searchlight post, the SANS Internet Storm Center looked for exploitation attempts on the vulnerability and found evidence as far back as August 30.
“Given the complexity of some previous Oracle Access Manager vulnerabilities, this one is somewhat trivial and easily exploitable by threat actors,” Searchlight Cyber said in its post.
Cyble threat intelligence researchers had flagged the vulnerability as important following Oracle’s October update.
Oracle Identity Manager Vulnerability CVE-2025-61757 Explained
CVE-2025-61757 affects the REST WebServices component of Identity Manager in Oracle Fusion Middleware versions 12.2.1.4.0 and 14.1.2.1.0.
The easily exploitable pre-authentication remote code execution (RCE) vulnerability could allow an unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of the vulnerability can result in takeover of Identity Manager.
The Searchlight researchers began looking for vulnerabilities after an Oracle Cloud breach earlier this year exploited a host that Oracle had failed to patch for CVE-2021-35587.
In the source code for the Oracle Identity Governance Suite, the researchers found that that the application compiles Groovy script but doesn’t execute it. Taking inspiration from a previous Java capture the flag (CTF) event, they noted that Java annotations are executed at compile time, not at run time, so they are free from the constraints of the Java security manager and can call system functions and read files just like regular Java code.
“Since Groovy is built on top of Java, we felt we should be able to write a Groovy annotation that executes at compile time, even though the compiled code is not actually run,” they said. After experimenting with the code, they achieved RCE.
“The vulnerability our team discovered follows a familiar pattern in Java: filters designed to restrict authentication often contain easy-to-exploit authentication bypass flaws,” the Searchlight researchers said. “Logical flaws in how Java interprets request URIs are a gift that continues giving when paired with matrix parameters.
“Participating in CTFs, or even staying up to date with research in the CTF space, continues to pay dividends, giving us unique insights into how we can often turn a seemingly unexploitable bug into an exploitable one.”
Oracle EBS Victims Climb Past 100
Meanwhile, the number of victims from the CL0P ransomware group’s exploitation of Oracle E-Business Suite vulnerabilities has now climbed past 100 after the threat group claimed additional victims late last week.
Mazda and Cox Enterprises are the latest to confirm being breached, bringing the confirmed total to seven so far. Mazda said it was able to contain the breach without system or data impact, but Cox said the personal data of more than 9,000 was exposed.
