The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new warning after confirming that a severe vulnerability in Oracle Identity Manager is being exploited in the wild. The flaw tracked as CVE-2025-61757 has now been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
CVE-2025-61757 carries a CVSS score of 9.8 and stems from a missing authentication check that allows attackers to execute code remotely without credentials. The issue affects Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0, and Oracle fixed it during last month’s quarterly security update.
According to CISA, the weakness “allows unauthenticated remote attackers to take over Identity Manager,” making it a high-risk threat for organizations that rely on Oracle Fusion Middleware.
How the Vulnerability Works
The flaw was discovered by Searchlight Cyber researchers Adam Kues and Shubham Shah, who found that attackers can access sensitive API endpoints simply by appending ?WSDL or ; .wadl (typo removed here) to any request URI.
This manipulation bypasses a fragile allow-list mechanism that relies on regular expression filters, filters that are notoriously prone to being tricked.
Once the attacker gets past this authentication layer, they can target the endpoint:
/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus
That endpoint is intended only to check Groovy code syntax, not execute it. But the researchers discovered that they could craft a Groovy annotation that runs during compilation, resulting in remote code execution even though the code isn’t meant to run at runtime.
This gives attackers a way to escalate privileges, alter authentication flows, and pivot deeper into the network.
Evidence of Active and Possible Zero-Day Exploitation
CISA’s announcement follows independent observations by Johannes B. Ullrich of the SANS Technology Institute. Ullrich reported that honeypots recorded repeated POST requests targeting the GroovyScriptStatus endpoint between August 30 and September 9, 2025 , weeks before patches were available.
The requests all shared the same user agent but came from multiple IP addresses, suggesting a single actor using a distributed scanning system. Payloads were about 556 bytes, though the honeypots didn’t capture the full request bodies.
The IPs involved include:
1. 89.238.132[.]76
2. 185.245.82[.]81
3. 138.199.29[.]153
These findings point strongly toward zero-day exploitation, with attackers probing exposed Oracle Identity Manager systems long before the official fix.
Federal Agencies Given a Patch Deadline
Because the vulnerability is being actively exploited, CISA has mandated that all Federal Civilian Executive Branch agencies apply the necessary Oracle patches no later than December 12, 2025. Organizations outside the federal space are also urged to patch immediately, given the severity and ease of exploitation.
CVE-2025-61757 is another reminder that authentication bypass bugs, especially those hiding behind complex middleware can rapidly become high-value targets for attackers looking to gain initial access or move laterally across critical systems.
Source: The Hacker News
