ALERT: CISA Warns of Critical Oracle Identity Manager Zero-Day Under Active Attack
A critical vulnerability in Oracle Identity Manager is being exploited by threat actors to perform unauthenticated Remote Code Execution. Organisations using Oracle Identity Manager must apply patches immediately to prevent full system compromise.
The Core Threat: CVE 2025 61757
The United States Cybersecurity and Infrastructure Security Agency has issued a high severity alert after adding the Oracle Identity Manager vulnerability known as CVE 2025 61757 to its Known Exploited Vulnerabilities Catalog. This action confirms that the flaw is under active exploitation and represents a serious threat to organisations of all sizes.
CVE 2025 61757 is a critical pre authenticated Remote Code Execution flaw that affects widely deployed versions of Oracle Identity Manager. The vulnerability does not require a valid user session, which significantly increases its risk level.
Vulnerability Details
| Identifier | Severity (CVSS) | Affected Product | Vulnerability Type |
|---|---|---|---|
| CVE 2025 61757 | 9.8 (Critical) | Oracle Identity Manager | Pre Authenticated Remote Code Execution |
The flaw impacts Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0.
How Threat Actors Exploit the Flaw
Attackers exploiting CVE 2025 61757 do not require credentials to access the vulnerable functionality. The attack chain involves two main steps, both of which take advantage of weaknesses in Oracle Identity Manager's request handling and script compilation features.
-
Security Filter Bypass:
The attacker appends specific strings such as
?.wadlor?WSDLto sensitive API endpoint paths. This manipulation causes Oracle Identity Manager to skip authentication checks that would normally block access. As a result, the attacker reaches restricted administrative APIs without a valid session. - Remote Code Execution via Script Compilation: Once the security filter is bypassed, the attacker submits malicious Groovy script content to an endpoint designed for syntax validation. The syntax checker compiles the script without executing it, but the attacker embeds harmful logic inside Java annotation processors. These processors run during the compilation phase, which results in the attacker executing arbitrary code on the server.
Since Oracle Identity Manager is a core identity and access management platform, a breach can give attackers insight into user accounts, authentication workflows and privileged access structures. With control over the platform, a threat actor can escalate privileges, impersonate users, create new accounts and expand laterally across the organisation.
Immediate Action Required
CISA has issued explicit guidance for public sector agencies and strongly recommends that private sector organisations follow the same patching urgency. Oracle has already released the required fix, and the vulnerability should be treated as a top priority for all security teams.
- Apply the Patch Immediately: The fix for CVE 2025 61757 is included in the Oracle Critical Patch Update for October 2025. Organisations should apply this update as soon as operationally possible.
- Compliance Deadlines: Federal Civilian Executive Branch agencies are required to patch by December 12, 2025. Private companies should adopt the same timeline due to the active exploitation of the flaw.
- Enhanced Monitoring: If patching cannot be completed immediately, organisations must increase monitoring of Oracle Identity Manager servers. Any unusual requests to administrative endpoints or unexpected Groovy compilation activity should be treated as potential indicators of compromise.
Failure to address this vulnerability puts organisations at high risk of full compromise, unauthorized account manipulation and widespread lateral movement within internal networks.
