Critical Oracle Identity Manager Vulnerability Under Active Exploitation
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a critical security flaw in Oracle Identity Manager, identified as CVE-2025-61757. This vulnerability enables unauthenticated remote attackers to execute arbitrary code on affected systems, posing a significant threat to both enterprise and government networks.
Background and Discovery
Earlier this year, a substantial breach involving Oracle Cloud’s login service exposed over six million records. In the aftermath, security researchers at Searchlight Cyber conducted a thorough analysis of Oracle Cloud’s login infrastructure. Their investigation uncovered a severe pre-authentication Remote Code Execution (RCE) flaw within the Oracle Identity Governance Suite, the same software stack compromised in the previous incident.
Technical Details of the Vulnerability
The root of the vulnerability lies in the application’s SecurityFilter mechanism, specifically within the web.xml configuration file. This filter is designed to manage authentication checks but relies on a flawed regular expression whitelist. Developers intended to permit unauthenticated access to Web Application Description Language (WADL) files. However, the implementation failed to account for how Java interprets request Uniform Resource Identifiers (URIs).
Attackers can exploit this flaw by appending specific matrix parameters to the URL, effectively bypassing authentication. For instance, adding ;.wadl to a request URI tricks the server into treating the request as a harmless WADL retrieval, while the underlying Java servlet processes it as a valid API call. This discrepancy grants attackers unrestricted access to restricted REST endpoints, such as /iam/governance/applicationmanagement.
Exploitation and Impact
Once authentication is bypassed, threat actors can leverage the groovyscriptstatus endpoint to achieve code execution. Although this endpoint is intended solely to syntax-check Groovy scripts without executing them, it does perform compilation. By injecting a script containing the @ASTTest annotation, attackers can force the Java compiler to execute arbitrary code during the compilation phase. This technique effectively transforms a syntax checker into a fully functional remote shell, granting control over the host system.
The severity of this vulnerability is heightened by the fact that it requires no prior access or credentials. The combination of a straightforward authentication bypass and a reliable method for code execution makes it an attractive target for ransomware groups and state-sponsored actors.
Recommendations and Mitigation
Organizations utilizing Oracle Identity Governance Suite 12c are strongly advised to take immediate action:
1. Apply Patches Promptly: Oracle has released patches addressing this vulnerability. Organizations should apply these updates without delay to mitigate the risk of exploitation.
2. Isolate Affected Services: If immediate patching is not feasible, consider isolating the affected services from the public internet to reduce exposure.
3. Monitor for Indicators of Compromise (IoCs): Implement monitoring mechanisms to detect any signs of exploitation, such as unusual access patterns or unexpected system behavior.
4. Review Access Controls: Ensure that access controls are appropriately configured to limit exposure and prevent unauthorized access.
By taking these steps, organizations can significantly reduce the risk associated with this critical vulnerability and protect their systems from potential exploitation.
