The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a significant vulnerability related to Oracle Identity Manager to its Known Exploited Vulnerabilities database. This step follows reports from the SANS Internet Storm Center that indicated attempts to exploit this particular flaw.
The vulnerability, identified as CVE-2025-61757, has a severity rating of 9.8, marking it as a critical missing authentication issue within Oracle’s Identity Manager—part of Oracle Fusion Middleware. The flaw was addressed in Oracle’s October updates, with details unveiled in a blog post by Searchlight Cyber, the entity that first discovered and reported it to Oracle.
Following the blog’s release, SANS Internet Storm Center commenced tracking attempts to exploit the vulnerability, uncovering evidence of exploitation as early as August 30. The complexity of the vulnerability is deemed lower than that of previous issues related to Oracle Access Manager, making it relatively straightforward for threat actors to exploit.
Understanding CVE-2025-61757
CVE-2025-61757 primarily affects the REST Web Services component of the Identity Manager in Oracle Fusion Middleware versions 12.2.1.4.0 and 14.1.2.1.0. This pre-authentication remote code execution (RCE) vulnerability allows unauthenticated attackers with network access via HTTP to potentially compromise the Identity Manager system. Should an attack be successful, it could lead to a full takeover of the Identity Manager.
The investigation into this vulnerability was sparked after an Oracle Cloud breach earlier this year exploited a host that had not been patched for CVE-2021-35587. As researchers delved deeper into the source code of the Oracle Identity Governance Suite, they found that while the application can compile Groovy scripts, it does not execute them. Drawing on insights from a previous Java capture-the-flag (CTF) event, they recognized that Java annotations run at compile time rather than runtime, thereby avoiding restrictions imposed by the Java security manager, which allows access to system functions and file reading similar to native Java code.
“Since Groovy is built on top of Java, we thought we could craft a Groovy annotation executing at compile time, even though the actual compiled code isn’t executed,” the researchers stated. After several rounds of experimentation, they successfully achieved remote code execution.
According to the Searchlight Cyber team, this vulnerability follows a recurring trend seen in Java applications, where filters meant to restrict authentication often contain easy-to-exploit bypass flaws. They emphasized that logical issues in how Java interprets request URIs can be quite advantageous for attackers, especially when interfaced with matrix parameters.
“Engaging in CTF events and keeping current with research in that realm continues to yield dividends, providing us with valuable insights on converting seemingly unexploitable bugs into viable targets,” they noted.
Rise in Oracle EBS Victims
On another front, the number of organizations affected by the CL0P ransomware group’s exploitation of Oracle E-Business Suite vulnerabilities has exceeded 100. This uptick comes after the threat group claimed more victims late last week.
Among the latest confirmed victims are Mazda and Cox Enterprises, bringing the total recognized breaches to seven thus far. Mazda reported that it managed to contain the breach without any data or system impact, whereas Cox acknowledged that personal data belonging to over 9,000 individuals was exposed during the incident.
As the landscape of cyber vulnerabilities continues to evolve, vigilance and proactive measures remain critical in safeguarding sensitive information. Entities utilizing Oracle systems are urged to apply updates as they become available and maintain awareness of emerging threats.
