Critical Oracle Identity Manager Vulnerability Under Active Exploitation
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory concerning a critical security flaw in Oracle Identity Manager, identified as CVE-2025-61757. This vulnerability enables unauthenticated remote attackers to execute arbitrary code on affected systems, posing a significant threat to both enterprise and government networks.
Background and Discovery
Earlier this year, a substantial breach involving Oracle Cloud’s login service exposed over six million records. Subsequent investigations by security researchers at Searchlight Cyber revealed that the same software stack compromised in that incident—the Oracle Identity Governance Suite—harbored a severe pre-authentication Remote Code Execution (RCE) flaw. This flaw was traced back to the application’s SecurityFilter mechanism within the web.xml configuration file.
Technical Details
The SecurityFilter was designed to manage authentication checks using a regular expression whitelist intended to permit unauthenticated access to Web Application Description Language (WADL) files. However, the implementation failed to account for Java’s interpretation of request Uniform Resource Identifiers (URIs). By appending specific matrix parameters, such as ;.wadl, to the URL, attackers can deceive the server into processing the request as a harmless WADL retrieval. Simultaneously, the Java servlet interprets it as a valid API call, effectively bypassing authentication.
Once authentication is circumvented, attackers can exploit the groovyscriptstatus endpoint to achieve code execution. This endpoint, intended solely for syntax-checking Groovy scripts without execution, performs compilation. By injecting a script containing the @ASTTest annotation, attackers can compel the Java compiler to execute arbitrary code during the compilation phase. This method transforms a syntax checker into a fully functional remote shell, granting control over the host system.
Implications
The severity of this vulnerability lies in its ability to be exploited without prior access or credentials. The combination of an easily executable authentication bypass and a reliable method for code execution makes it an attractive target for ransomware groups and state-sponsored actors.
Recommendations
Organizations utilizing Oracle Identity Governance Suite 12c are strongly advised to apply the relevant patches immediately or isolate the affected services from public internet access. Prompt action is essential to mitigate the risk of exploitation and potential system compromise.
