Critical Oracle Identity Manager Vulnerability Added to CISA’s Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a significant security flaw affecting Oracle Identity Manager to its Known Exploited Vulnerabilities (KEV) catalog. This critical vulnerability, tracked as CVE-2025-61757, has been confirmed to be actively exploited in the wild, prompting urgent action from organizations reliant on this identity management software.
CISA’s inclusion of CVE-2025-61757 signifies a heightened threat level, as it indicates that attackers are actively leveraging this weakness. The vulnerability carries a severe CVSS score of 9.8 and allows for pre-authenticated remote code execution, a particularly dangerous exploit that can lead to complete system compromise without requiring any prior user authentication. Oracle had previously addressed this flaw in its quarterly updates released in October 2025.
Details of the Oracle Identity Manager Exploit
The vulnerability, discovered by Searchlight Cyber researchers Adam Kues and Shubham Shah, resides within Oracle Fusion Middleware. It allows unauthenticated remote attackers to gain control over the Identity Manager system. Attackers can exploit this by manipulating authentication flows, escalating their privileges within the affected network, and subsequently moving laterally across an organization’s critical IT infrastructure.
At its core, the flaw exploits a failure in a security filter that is intended to protect certain API endpoints. By appending specific strings like “?WSDL” or “;.wadl” to a Uniform Resource Identifier (URI), attackers can trick these protected endpoints into believing they are publicly accessible. This bypass is attributed to an overly simplistic allow-list mechanism that relies on flawed regular expression or string matching against the request URI.
The researchers elaborated that these types of filters are often susceptible to circumvention. Once the authentication bypass is achieved, attackers can target the “/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus” endpoint. By sending a carefully crafted HTTP POST request, they can achieve remote code execution, even though this specific endpoint is designed solely for checking the syntax of Groovy code and not for its actual execution.
Evidence of Zero-Day Exploitation
The timing of CVE-2025-61757’s addition to the KEV catalog aligns with independent observations of suspicious network activity. Johannes B. Ullrich, dean of research at the SANS Technology Institute, reported analyzing honeypot logs that revealed numerous attempts to access the “/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl” URL via HTTP POST requests between August 30 and September 9, 2025. This activity predates Oracle’s official patch release and CISA’s public warning.
Ullrich noted that these scanning attempts originated from several different IP addresses. However, a consistent user agent string across these attempts suggests that a single actor or group may be behind the exploitation. While the exact content of the POST requests was not captured, the “content-length” header indicated a payload size of 556 bytes, consistent with an exploit attempt. The IP addresses identified in these attempts include 89.238.132[.]76, 185.245.82[.]81, and 138.199.29[.]153.
The presence of such activity before a known patch indicates that CVE-2025-61757 may have been exploited as a zero-day vulnerability. This means it was actively used by attackers before the software vendor was aware of it, or before a fix was made available to the public.
Mandatory Remediation for Federal Agencies
In response to the confirmed active exploitation, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies must apply the necessary security patches to mitigate CVE-2025-61757 by December 12, 2025. This stringent deadline underscores the severity of the threat and the critical need to secure these systems against potential breaches.