"CISA warns that a critical vulnerability in Oracle Identity Manager is being actively exploited. The flaw, CVE-2025-61757, allows remote code execution without authentication and poses an immediate risk to organizations that rely on the platform for identity and access management. According to The Hacker News, the vulnerability affects both older and newer versions of Oracle Identity Manager and could have significant consequences in many environments, as the product is often deeply integrated into business processes and other applications."
"The bypass occurs because a security filter in the REST APIs is not robust enough. By adding parameters such as question mark-WSDL or semicolon-wadl to a URL, the system treats secure endpoints as if they were freely accessible. This allows access to internal functionality without authentication. The researchers demonstrate that the vulnerability is not only easy to exploit but also widely applicable within different configurations of Oracle Identity Manager."
"An attacker who enters via the bypass can then access an endpoint used to compile Groovy code. Although it does not normally execute scripts, it can still be used to run code during compilation by exploiting Groovy annotations. This creates an attack path that leads to full remote code execution. This can be done without the victim having to interact at all. Login credentials are also unnecessary. This makes the flaw particularly attractive to cybercriminals and other threat actors."
A critical vulnerability, CVE-2025-61757, in Oracle Identity Manager enables unauthenticated remote code execution and is actively exploited. The flaw affects older and newer product versions and threatens organizations that use the platform for identity and access management. Searchlight Cyber researchers Adam Kues and Shubham Shah found that a REST API security filter can be bypassed by appending parameters such as ?-WSDL or ;-wadl, causing secure endpoints to be treated as publicly accessible. Exploitation permits access to an endpoint that compiles Groovy code, enabling code execution via Groovy annotations without credentials or user interaction. Oracle released a patch on October 21, 2025, and CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, making patching mandatory for US government agencies under BOD 22-01 with a December 12 deadline.
#oracle-identity-manager #cve-2025-61757 #remote-code-execution #cisa-known-exploited-vulnerabilities
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]