Active Exploitation Observed: Oracle Identity Manager RCE Flaw (CVE-2025-61757)

CVE-2025-61757 is a pre-authentication remote code execution (RCE) flaw in Oracle Identity Manager (OIM). The flaw exists due to an insecure implementation of REST API authentication using a central filtering mechanism that can be bypassed via URL path manipulation. The vulnerability was exploited in the wild prior to the October 2025 Oracle CPU, prompting its addition to CISA’s KEV catalog in November 2025 due to confirmed active exploitation.

Severity: Critical

Vulnerability Details

• CVE ID: CVE-2025-61757
• CVSS Score: 9.8
• Vulnerability Type: Pre-authentication Remote Code Execution
• Component Affected: Oracle Identity Manager (part of Oracle Fusion Middleware)
• Affected Versions: 12.2.1.4.0, 14.1.2.1.0
• Exploitability: Trivial, remotely exploitable without authentication

Technical Details

1. Authentication Bypass Mechanism:
   • Java REST APIs in OIM are protected by a central SecurityFilter.
   • The filter bypasses authentication if the request URI contains certain patterns.
   • Attackers can exploit this by appending ;.wadl to API endpoints, tricking the filter into granting access.
2. RCE Vector:
   • The vulnerable endpoint:
     /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl
   • Initially, this endpoint was believed to only compile Groovy scripts (not execute).
   • However, by embedding malicious logic inside Groovy AST annotations, attackers can achieve code execution at compile-time, bypassing execution restrictions.

Exploitation Evidence

• CISA added CVE-2025-61757 to the Known Exploited Vulnerabilities (KEV) catalog on November 21, 2025, citing evidence of active exploitation targeting federal and enterprise systems.
• Prior to public disclosure, scanning activity matching the exploit pattern was observed between August 30 and September 9, 2025, indicating potential zero-day use.

Recommendations

1. Immediately apply the patch released by Oracle as part of its October Critical Patch Update, which was released on October 21st, 2025. This is the most effective way to eliminate the vulnerability.
2. Review your logs for access attempts between August 30th and September 9th and beyond, looking for the specific exploit patterns.
3. Look for URLs in your access logs that include the path parameter separator followed by the .wadl string (e.g., *;.wadl).
   A known malicious URL pattern is:
   /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl
   Another known URL pattern is:
   /iam/governance/applicationmanagement/templates;.wadl.
4. Monitor logs for the user agent used in the early scans: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

Source:

• https://slcyber.io/research-center/breaking-oracles-identity-manager-pre-auth-rce/
• https://content.govdelivery.com/accounts/USDHSCISA/bulletins/3fc8920
• https://isc.sans.edu/diary/Oracle+Identity+Manager+Exploit+Observation+from+September+CVE202561757/32506/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.