The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued an urgent advisory instructing federal agencies to remediate a critical remote code execution (RCE) flaw in Oracle Identity Manager, identified as CVE-2025-61757. The vulnerability is already being actively exploited in the wild and may have been leveraged as a zero-day prior to the vendor’s security patch.
CVE-2025-61757 is a pre-authentication RCE vulnerability uncovered by Searchlight Cyber researchers Adam Kues and Shubham Shahflaw. The weakness originates from an authentication bypass affecting Oracle Identity Manager’s REST API endpoints. By appending parameters such as ?WSDL or ;.wadl to API paths, attackers can manipulate a security filter into treating protected routes as publicly accessible.
Once the authentication barrier is bypassed, adversaries gain access to a Groovy script compilation endpoint. Although this endpoint is not intended to execute scripts directly, it can be abused to run arbitrary code at compile time through Groovy’s annotation-processing capabilities. When chained together, these conditions enable full pre-authentication remote code execution on vulnerable Oracle Identity Manager systems.
Oracle addressed the flaw in its October 2025 Critical Patch Update released on October 21. However, the publication of a detailed technical analysis by Searchlight Cyber—including all necessary exploit components—significantly raises the risk of widespread malicious activity. The researchers noted the unusual simplicity of the exploit path, remarking that it is “trivial and easily exploitable” compared to previous Oracle Access Manager vulnerabilities.
In response to confirmed exploitation, CISA has added CVE-2025-61757 to its Known Exploited Vulnerabilities (KEV) list. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the patch no later than December 12. CISA emphasized that vulnerabilities of this nature remain a common and highly effective attack vector for threat actors targeting government networks.
While no exploitation details were provided by CISA, independent analysis from Johannes Ullrich, Dean of Research at the SANS Technology Institute, indicates that the vulnerability may have been targeted as early as August 30, weeks before Oracle issued a fix. Ullrich observed repeated probing of the vulnerable Groovy-related URLs between August 30 and September 9, originating from multiple IP addresses but utilizing a single user-agent string, suggesting a coordinated campaign.
The attacker activity involved HTTP POST requests to endpoints aligned with the Searchlight Cyber proof of concept:
-
/iam/governance/applicationmanagement/templates;.wadl
-
/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl
The activity was traced to IP addresses 89.238.132[.]76, 185.245.82[.]81, and 138.199.29[.]153, all using a user agent corresponding to Chrome 60 on Windows 10.
This incident highlights a growing trend in targeting identity and access management (IAM) platforms—high-value systems that provide attackers with broad access and elevated privileges once compromised. With proof-of-concept code publicly available and exploitation already confirmed, organizations running Oracle Identity Manager should prioritize immediate patch deployment and conduct thorough log reviews for suspicious REST API activity.