483/68 Monday, November 24, 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Oracle Identity Manager vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming that attackers are actively exploiting it in the wild. The flaw, CVE-2025-61757, carries a CVSS score of 9.8/10 and stems from an authentication validation failure. It allows attackers to execute remote code (RCE) and take full control of the system without requiring a username or password. The issue affects versions 12.2.1.4.0 and 14.1.2.1.0.
According to researchers at Searchlight Cyber, the vulnerability is caused by a failure in the product’s security filter, which relies on pattern matching via regex. By simply appending “?WSDL” or “;.wadl” to the URI, attackers can trick the system into treating the request as a publicly accessible endpoint that does not require authentication. Once authenticated bypass is achieved, attackers can send malicious commands through an API designed to validate Groovy script, causing the malicious code to execute during the compilation stage. This technique enables attackers to escalate privileges and pivot into other critical systems inside an organization with minimal effort.
What makes the issue even more concerning is that data from the SANS Technology Institute shows scanning activity and exploitation attempts as early as late August to early September 2025-well before Oracle released a patch last month. This confirms that the vulnerability was used in zero-day attacks before the vendor became aware of it.
As a result, CISA has issued a directive requiring all U.S. federal agencies to apply the latest security patch no later than December 12, 2025. Organizations using Oracle Identity Manager are strongly urged to review their systems immediately, apply the updated patches, and take urgent steps to mitigate the risk of compromise.
Source https://thehackernews.com/2025/11/cisa-warns-of-actively-exploited.html
