Ethical Hacking News
CISA has warned government agencies of an active exploitation of Oracle Identity Manager RCE flaw. The vulnerability, tracked as CVE-2025-61757, allows attackers to execute remote code on affected systems without authentication. Government agencies have until December 12 to patch the flaw and prevent potential attacks. This is a critical reminder of the importance of keeping software up-to-date and patched against known vulnerabilities.
CISA is warning government agencies about an unpatched vulnerability in Oracle Identity Manager (CVE-2025-61757) that could be exploited as a zero-day.The vulnerability allows attackers to bypass authentication and reach a Groovy script, which can be used to run malicious code at compile time.CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog and is urging agencies to patch it by December 12.Researchers from Searchlight Cyber discovered and disclosed the flaw, which was fixed as part of Oracle's October 2025 security updates.The threat actors issuing attacks used a consistent user agent across multiple IP addresses, suggesting a single attacker.
CISA warns government agencies to patch an Oracle Identity Manager tracked as CVE-2025-61757 that has been exploited in attacks, potentially as a zero-day. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is issuing this warning to its members due to concerns over the severity and potential impact of this vulnerability.
CVE-2025-61757 is a pre-authentication Remote Code Execution (RCE) vulnerability in Oracle Identity Manager, discovered and disclosed by Searchlight Cyber analysts Adam Kues and Shubham Shahflaw. The flaw stems from an authentication bypass in Oracle Identity Manager's REST APIs, where a security filter can be tricked into treating protected endpoints as publicly accessible by appending parameters like ?WSDL or ;.wadl to URLpaths.
Once unauthenticated access is gained, attackers can reach a Groovy script, which is a compilation endpoint that does not typically execute a script. However, it can be abused to run malicious code at compile time through Groovy's annotation-processing features. This chain of flaws enabled the researchers to achieve pre-authentication remote code execution on affected Oracle Identity Manager instances.
The flaw was fixed as part of Oracle's October 2025 security updates, released on October 21. Yesterday, Searchlight Cyber released a technical report detailing the flaw and providing all the information required to exploit it. "Given the complexity of some previous Oracle Access Manager vulnerabilities, this one is somewhat trivial and easily exploitable by threat actors," warned the researchers.
Today, CISA has added the Oracle CVE-2025-61757 vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and given Federal Civilian Executive Branch (FCEB) agencies until December 12 to patch the flaw as mandated by the Binding Operational Directive (BOD) 22-01. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," warned CISA.
While CISA has not shared details of how the flaw was exploited, Johannes Ullrich, the Dean of Research for SANS Technology Institute, warned yesterday that the flaw may have been exploited as a zero-day as early as August 30. "This URL was accessed several times between August 30th and September 9th this year, well before Oracle patched the issue," explained Ullrich in an ISC Handler Diary.
"There are several different IP addresses scanning for it, but they all use the same user agent, which suggests that we may be dealing with a single attacker," added Ullrich. According to Ullrich, the threat actors issued HTTP POST requests to the following endpoints, which match the exploit shared by Searchlight Cyber.
/iam/governance/applicationmanagement/templates;.wadl
/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl
The researcher says the attempts came from three different IP addresses, 89.238.132[.]76, 185.245.82[.]81, and 138.199.29[.]153, but all used the same browser user agent, which corresponds to Google Chrome 60 on Windows 10.
BleepingComputer contacted Oracle to ask whether they have detected the flaw exploited in attacks, and will update the story if we get a response.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Warns-Government-Agencies-of-Active-Exploitation-of-Oracle-Identity-Manager-RCE-Flaw-ehn.shtml
https://www.bleepingcomputer.com/news/security/cisa-warns-oracle-identity-manager-rce-flaw-is-being-actively-exploited/
Published: Fri Nov 21 17:58:58 2025 by llama3.2 3B Q4_K_M
