The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning government agencies to patch an Oracle Identity Manager tracked as CVE-2025-61757 that has been exploited in attacks, potentially as a zero-day.
CVE-2025-61757 is a pre-authentication RCE vulnerability in Oracle Identity Manager, discovered and disclosed by Searchlight Cyber analysts Adam Kues and Shubham Shahflaw.
The flaw stems from an authentication bypass in Oracle Identity Manager’s REST APIs, where a security filter can be tricked into treating protected endpoints as publicly accessible by appending parameters like ?WSDL or ;.wadl to URLpaths.
Once unauthenticated access is gained, attackers can reach a Groovy script, which is a compilation endpoint that does not typically execute a script. However, it can be abused to run malicious code at compile time through Groovy’s annotation-processing features.
This chain of flaws enabled the researchers to achieve pre-authentication remote code execution on affected Oracle Identity Manager instances.
The flaw was fixed as part of Oracle’s October 2025 security updates, released on October 21.
Yesterday, Searchlight Cyber released a technical report detailing the flaw and providing all the information required to exploit it.
“Given the complexity of some previous Oracle Access Manager vulnerabilities, this one is somewhat trivial and easily exploitable by threat actors,” warned the researchers.
CVE-2025-61757 exploited in attacks
Today, CISA has added the Oracle CVE-2025-61757 vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and given Federal Civilian Executive Branch (FCEB) agencies until December 12 to patch the flaw as mandated by the Binding Operational Directive (BOD) 22-01.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” warned CISA.
While CISA has not shared details of how the flaw was exploited, Johannes Ullrich, the Dean of Research for SANS Technology Institute, warned yesterday that the flaw may have been exploited as a zero-day as early as August 30.
“This URL was accessed several times between August 30th and September 9th this year, well before Oracle patched the issue,” explained Ullrich in an ISC Handler Diary.
“There are several different IP addresses scanning for it, but they all use the same user agent, which suggests that we may be dealing with a single attacker.”
According to Ullrich, the threat actors issued HTTP POST requests to the following endpoints, which match the exploit shared by Searchlight Cyber.
/iam/governance/applicationmanagement/templates;.wadl
/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl
The researcher says the attempts came from three different IP addresses, 89.238.132[.]76, 185.245.82[.]81, 138.199.29[.]153, but all used the same browser user agent, which corresponds to Google Chrome 60 on Windows 10.
BleepingComputer contacted Oracle to ask whether they have detected the flaw exploited in attacks, and will update the story if we get a response.
Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.