Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2025-61757: Oracle Identity Manager Auth Bypass Flaw Added to CISA’s KEV
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | FortiSandbox Vulnerabilities Expose Systems to Auth Bypass and Command Execution
FortiSandbox Vulnerabilities Expose Systems to Auth Bypass and Command Execution
Jun 17, 2026
SOCRadar® Cyber Intelligence Inc. | May 2026: TeamPCP's Supply Chain Blitz Hits Checkmarx, GitHub, and npm
May 2026: TeamPCP's Supply Chain Blitz Hits Checkmarx, GitHub, and npm
Jun 16, 2026
SOCRadar® Cyber Intelligence Inc. | FortiBleed: The Compromise of 30,000 Fortinet Firewalls
FortiBleed: The Compromise of 30,000 Fortinet Firewalls
Jun 16, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20262: Cisco Catalyst SD-WAN Manager Zero-Day Leads to Root
CVE-2026-20262: Cisco Catalyst SD-WAN Manager Zero-Day Leads to Root
Jun 16, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-35273 in Oracle PeopleSoft PeopleTools EMHub Under Active Exploitation
CVE-2026-35273 in Oracle PeopleSoft PeopleTools EMHub Under Active Exploitation
Jun 12, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Nov 24, 2025
5 Mins Read
Jun 08, 2026
Moon

CVE-2025-61757: Oracle Identity Manager Auth Bypass Flaw Added to CISA’s KEV

CISA recently added CVE-2025-61757 to its Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation. The listing highlights a critical flaw affecting Oracle Identity Manager – part of Oracle Fusion Middleware. Because Oracle Identity Manager sits at the core of enterprise identity governance, any authentication bypass targeting it poses a meaningful operational risk.

This blog unpacks the vulnerability, examines how attackers are exploiting it, and outlines what organizations should prioritize.

What Is CVE-2025-61757?

CVE-2025-61757 is a missing authentication for a critical function vulnerability affecting Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0. Oracle classified it with a CVSS score of 9.8, reflecting how the flaw enables pre-authenticated Remote Code Execution (RCE) through improperly protected REST API endpoints.

In its October 2025 advisory, Oracle notes that the flaw impacts the product’s REST Web Services layer over HTTP.

Vulnerability card of CVE-2025-61757 (SOCRadar Vulnerability Intelligence)

Vulnerability card of CVE-2025-61757 (SOCRadar Vulnerability Intelligence)

CISA’s KEV entry confirms that exploitation has been observed, triggering a mandatory patching deadline of December 12, 2025, for U.S. federal agencies.

How Does the Authentication Bypass Work?

The flaw stems from a weakness in the application’s central SecurityFilter, responsible for handling authentication across REST routes. Researchers from Searchlight Cyber discovered two key issues:

  • Appending ?WSDL to any request bypasses authentication because the filter incorrectly treats it as a publicly accessible route.
  • Appending a matrix parameter such as ; .wadl tricks the filter’s allow-list regex into treating protected endpoints as unauthenticated paths.

Because the application relies on regular-expression-based allow-listing rather than per-route controls, attackers only need to manipulate the request URI to bypass the filter entirely. This makes the exploit simple to replicate and difficult to detect without proper visibility.

Why Does This Lead to Remote Code Execution?

Once attackers bypass authentication, they gain access to internal management APIs. One endpoint in particular, /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus, is meant solely for syntax-checking Groovy code. However, its implementation compiles submitted scripts, creating a narrow but powerful avenue for exploitation.

Searchlight Cyber demonstrated that Groovy’s support for compile-time annotation execution allows malicious logic to run during compilation, even if the resulting script never executes. By embedding a custom annotation that executes system-level actions upon compilation, an attacker can trigger RCE without authentication or privileged access.

Evidence of Active Exploitation of CVE-2025-61757

The SANS Internet Storm Center reported that its honeypot systems logged multiple attempts to access the vulnerable Groovy compilation endpoint between August 30 and September 9, 2025 – well before Oracle issued a patch in October. These requests:

  • Originated from several IP addresses using the same user agent
  • Used HTTP POST requests containing a 556-byte payload
  • Attempted to reach paths ending with .wadl, indicating exploitation of the authentication bypass

These observations suggest that CVE-2025-61757 was exploited as a zero-day in the wild.

Which Organizations Are at Risk?

Any environment running the affected Oracle Identity Manager versions is at risk, including:

  • Government agencies using Oracle Fusion Middleware
  • Enterprises relying on Identity Governance for centralized authentication
  • Organizations with exposed Oracle Identity Manager REST endpoints
  • Those with incomplete patching of October 2025 Oracle Critical Patch Update releases

Because the flaw allows unauthenticated access over the network, even perimeter-exposed instances significantly expand an attacker’s reach.

How Can You Address CVE-2025-61757?

Patch Immediately – Apply Oracle’s October 2025 Critical Patch Update. CISA has mandated that U.S. federal civilian agencies complete remediation by December 12, 2025, but private organizations should not delay.

Review Access Logs for Indicators – Look for requests matching patterns such as:

  • .wadl appended to REST endpoints
  • Attempts to reach the Groovy script status endpoint
  • Unexpected POST requests with similar payload sizes (e.g., ~556 bytes)

Restrict Public Exposure – If possible:

  • Move Oracle Identity Manager systems behind VPN or Zero Trust Access
  • Filter unusual URI patterns at the web application firewall level
  • Disable unnecessary REST APIs

Harden Monitoring – Ensure security teams monitor for authentication bypass attempts, anomalous API activity, and server-side callback traffic, especially outbound connections initiated unexpectedly.

How SOCRadar Can Help

While patching remains the top priority, many organizations still struggle to answer three key questions in a timely way: Where are we exposed? How actively is this being exploited? What should we fix first?SOCRadar XTI, with its Cyber Threat Intelligence (CTI) and Attack Surface Management (ASM) modules, can help close these gaps.

SOCRadar’s Vulnerability Intelligence, Cyber Threat Intelligence module

SOCRadar’s Vulnerability Intelligence, Cyber Threat Intelligence module

  • Continuously tracks exploitation of CVE-2025-61757 across threat feeds, dark web sources, and underground forums, helping security teams understand which actors are abusing the flaw and how their tradecraft evolves.
  • Enriches CVEs with real-time exploit status, KEV inclusion, related malware, and threat context so teams can prioritize assets among other critical issues.
  • Automatically discovers exposed instances on the internet-facing perimeter, helping organizations identify forgotten or misconfigured systems that require urgent patching or isolation.

By combining these capabilities, SOCRadar can support faster detection of exploitation attempts, better prioritization of vulnerable assets, and more informed response decisions.

Indicators of Compromise (IOCs)

Organizations investigating potential exploitation of CVE-2025-61757 can reference several known indicators observed in honeypot data and research findings:

Malicious IP Addresses Observed Scanning or Probing

  • 89.238.132.76
  • 185.245.82.81
  • 138.199.29.153

Suspicious Request Paths

Attackers attempted to access authenticated endpoints using matrix parameters:

  • /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl
  • Other REST endpoints with .wadl appended

User Agent Observed in Attacks 

  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

Request Characteristics

  • HTTP POST requests
  • Payload size around 556 bytes
  • Attempts to reach Groovy script compilation endpoint

These indicators should be correlated with local logs and monitoring tools to identify possible compromise.