CISA has issued an urgent warning about a critical zero-day vulnerability in Oracle Identity Manager, a widely used enterprise identity and access management solution. The flaw, tracked as CVE-2025-61757, has now been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog after security researchers confirmed that attackers are actively exploiting it in the wild.
The vulnerability carries a CVSS score of 9.8, putting it in the critical category, and allows unauthenticated remote attackers to execute code without needing any login credentials. In simple terms, an attacker can take over Oracle Identity Manager servers remotely, without authentication—giving them deep access into an organization’s most sensitive systems.
Oracle released patches as part of its quarterly update cycle last month, but evidence shows that attackers may have been exploiting the flaw even before the patch became available, making it a true zero-day.
CVE-2025-61757 is a case of “missing authentication for a critical function.” This means Oracle Identity Manager fails to verify whether a user is allowed to access certain internal functions. Because of this security gap, attackers can directly access sensitive API endpoints.
According to the researchers from Searchlight Cyber, Adam Kues and Shubham Shah, who discovered the vulnerability, the flaw allows cybercriminals to:
-
Bypass authentication protections
-
Manipulate authentication workflows
-
Escalate privileges
-
Move laterally across core enterprise systems
This level of access is extremely dangerous because Oracle Identity Manager is used to control user accounts, permissions, and identities across an entire organization. If attackers gain control of this system, they can essentially take control of the entire network.
The vulnerability stems from a weakness in a security filter that decides which API endpoints are public and which are protected. The researchers found that adding a simple string like ?WSDL or ;.wadl to any request can trick the system into treating protected endpoints as publicly accessible.
This happens because Oracle uses a faulty allow-list mechanism that relies on string matching. Attackers can easily manipulate this with crafted URLs.
Once the authentication bypass is successful, attackers can send a malicious HTTP POST request to the following endpoint:
/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus
This endpoint is normally meant only to check Groovy script syntax—not to execute code. But the researchers discovered they could inject a special Groovy annotation that executes during compile time, enabling full remote code execution (RCE) even though the code itself is not supposed to run.
This clever trick turns a harmless syntax-checking function into a powerful weapon.
CISA’s alert comes shortly after Johannes B. Ullrich, Dean of Research at the SANS Technology Institute, reported suspicious activity in honeypot logs. Between August 30 and September 9, 2025, Ullrich observed repeated attempts to access the vulnerable endpoint using the following crafted URL:
/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl
These attempts were sent as POST requests, consistent with the exploitation method described by Searchlight Cyber. Ullrich noted that:
The scans came from multiple IP addresses
All used the same user-agent string
This suggests a single attacker or organized group
The payloads could not be captured, but the Content-Length headers showed a consistent 556-byte payload, indicating a targeted exploit rather than random scanning.
The suspicious traffic came from the following IPs:
89.238.132[.]76
185.245.82[.]81
138.199.29[.]153
Since this activity occurred before Oracle released the official patch, experts believe the vulnerability was exploited as a true zero-day.
Because attackers are already exploiting the flaw, CISA has made it mandatory for U.S. Federal Civilian Executive Branch (FCEB) agencies to apply the latest Oracle patches by December 12, 2025. This ensures that government systems are protected against ongoing attacks.
CISA strongly encourages all organizations, not just government agencies, to:
Apply Oracle’s latest patches immediately
Review logs for signs of exploitation
Monitor for suspicious API requests containing
?WSDLor;.wadlImplement network-level protections for Oracle Identity Manager
With Oracle Identity Manager being a central component in identity lifecycle management, a compromise could lead to widespread damage, data theft, privilege escalation, and complete network takeover.
The discovery and active exploitation of CVE-2025-61757 highlights once again how identity management systems remain high-value targets for attackers. The simplicity of the exploit—adding a few characters to a URL—makes it even more concerning. Organizations using Oracle Identity Manager should treat this vulnerability as an emergency and patch without delay.
Interesting Article : Grafana Fixes High-Risk CVE-2025-41115 Vulnerability in SCIM Module
Pingback: ASUS Fixes Critical AiCloud Router Flaw CVE-2025-59366