The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly identified Oracle vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The flaw, tracked as CVE-2025-61757, affects Oracle Identity Manager, a core component of Oracle Fusion Middleware. CISA has classified it as a “missing authentication for critical function” issue, which enables remote, unauthenticated attackers to access privileged functionality. Successful exploitation can lead to remote code execution (RCE) and full compromise of the identity platform.
Vulnerability Summary -CVE-2025-61757
| Field | Value |
|---|---|
| CVE ID | CVE-2025-61757 |
| Vulnerability Type | Missing Authentication for Critical Function |
| Affected Product | Oracle Fusion Middleware / Oracle Identity Manager |
| Affected Versions | 12c 12.2.1.4.0 (and potentially additional versions) |
Impact on Identity and Access Management Environments
Oracle Identity Manager—also known as Oracle Identity Governance—is widely deployed across enterprise and government environments to manage user accounts, credentials, and access rights.
Because identity platforms sit at the center of authentication workflows, a compromise can quickly escalate to domain-wide or cloud-wide access.
Security researchers from Searchlight Cyber’s Assetnote team discovered that several REST API endpoints in Oracle Identity Manager failed to enforce proper authentication.
By manipulating how the product handles URL patterns and filters, attackers can cause the system to treat protected endpoints as publicly accessible.
Once beyond the authentication boundary, attackers can reach functionality responsible for processing Groovy scripts. Although intended only for syntax validation, this feature can be abused to execute arbitrary code during compilation—effectively turning a logic flaw into a powerful pre-authentication RCE pathway.
This discovery follows an earlier major breach of Oracle Cloud’s login service in January, where attackers reportedly exploited a separate Oracle Access Manager vulnerability (CVE-2021-35587) to gain RCE and exfiltrate millions of records.
CVE-2025-61757 affects related identity components and, if unpatched, could have enabled similar exploitation against Oracle’s own infrastructure.
CISA warns that the vulnerability is particularly concerning due to its remote, unauthenticated attack vector. With many Oracle Identity Manager instances accessible over the internet, the exposure is significant.
The vulnerability was added to the KEV catalog on November 21, 2025.
Federal civilian agencies are required to apply Oracle’s patches, adhere to Binding Operational Directive BOD 22-01 for cloud services, or discontinue use of the affected product by December 12, 2025.
Recommended Actions for Organizations
- Apply the latest Oracle Critical Patch Update without delay
- Limit external exposure of identity and administrative services
- Review identity and access management configurations
- Monitor for suspicious access to REST APIs and script-processing features
- Strengthen logging and detection around identity infrastructure
Leave A Comment