CISA Alerts on Critical Oracle Identity Manager Vulnerability Under Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical security flaw affecting Oracle Identity Manager to its Known Exploited Vulnerabilities (KEV) catalog, highlighting evidence of active exploitation.
Identified as CVE-2025-61757, this vulnerability carries a CVSS score of 9.8, indicating its severity. The flaw arises from missing authentication for a critical function, potentially allowing unauthenticated remote attackers to execute arbitrary code. Affected versions include 12.2.1.4.0 and 14.1.2.1.0. Oracle addressed this issue in its quarterly updates released last month.
CISA’s advisory states, Oracle Fusion Middleware contains a missing authentication for a critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager.
Researchers Adam Kues and Shubham Shah from Searchlight Cyber, who discovered the flaw, explained that attackers could exploit this vulnerability to access API endpoints. This access could enable them to manipulate authentication flows, escalate privileges, and move laterally across an organization’s core systems.
The vulnerability stems from a bypass of a security filter, allowing protected endpoints to be treated as publicly accessible by appending ?WSDL or ;.wadl to any URI. This issue results from a faulty allow-list mechanism based on regular expressions or string matching against the request URI.
The authentication bypass can be combined with a request to the /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus endpoint to achieve remote code execution. By sending a specially crafted HTTP POST, attackers can exploit this endpoint, which is intended only for checking the syntax of Groovy code and not for execution. However, the researchers found a way to write a Groovy annotation that executes at compile time, even though the compiled code is not actually run.
The inclusion of CVE-2025-61757 in the KEV catalog follows observations by Johannes B. Ullrich, the dean of research at the SANS Technology Institute. An analysis of honeypot logs revealed multiple attempts to access the URL /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl via HTTP POST requests between August 30 and September 9, 2025.
Ullrich noted, There are several different IP addresses scanning for it, but they all use the same user agent, which suggests that we may be dealing with a single attacker. He added that while the bodies of these requests were not captured, all were POST requests with a content-length header indicating a 556-byte payload.
This suggests that the vulnerability may have been exploited as a zero-day, prior to Oracle’s release of a patch. The IP addresses from which these attempts originated include:
– 89.238.132[.]76
– 185.245.82[.]81
– 138.199.29[.]153
In response to the active exploitation, Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the necessary patches by December 12, 2025, to secure their networks.
