The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new Oracle vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning that attackers are already exploiting it in real-world attacks.
The bug, tracked as CVE-2025-61757, affects Oracle Identity Manager, part of Oracle Fusion Middleware.
The flaw is rated as a “missing authentication for critical function” issue, meaning a remote attacker can access powerful functions in the product without first logging in.
In practice, this opens the door to full remote code execution and complete takeover of the identity platform.
| Field | Value |
|---|---|
| CVE ID | CVE-2025-61757 |
| Vulnerability Type | Missing Authentication for Critical Function |
| Affected Product | Oracle Fusion Middleware / Oracle Identity Manager |
| Affected Versions | 12c 12.2.1.4.0 and likely others |
Pre-auth RCE in widely used identity software
Many enterprises and government agencies use Oracle Identity Manager (also known as Oracle Identity Governance) to manage user accounts, credentials, and access rights.
Because it sits at the center of identity and access management, a compromise of this system can quickly lead to domain-wide or cloud-wide compromise.
Security researchers from Searchlight Cyber’s Assetnote team discovered that certain Oracle Identity Manager REST APIs could be accessed without proper authentication checks.
By abusing how the product handles URL patterns and filters, an attacker can trick the system into treating protected endpoints as if they were public.
Once past authentication, the attacker can reach functionality that processes Groovy scripts. Although the feature is intended solely for syntax checking, the researchers showed that it can be abused to run code during compilation.
This turns a simple logic flaw into a powerful pre-authentication remote code execution (RCE) vulnerability.
The research follows an earlier major breach of Oracle Cloud’s login service in January, in which attackers reportedly exploited an older Oracle Access Manager flaw (CVE-2021-35587) to gain RCE and steal millions of records.
The new bug, CVE-2025-61757, affects related identity components and could have been used similarly against Oracle’s own infrastructure if left unpatched.
CISA notes that the vulnerability is particularly concerning because it can be exploited over the network by an unauthenticated attacker.
Given that many Oracle Identity Manager instances are exposed to the internet for user access, the attack surface is significant. CVE-2025-61757 was added to CISA’s KEV catalog on November 21, 2025.
Federal civilian agencies are ordered to apply Oracle’s fixes, follow Binding Operational Directive (BOD) 22-01 guidance for cloud services, or discontinue use of the product by December 12, 2025.
Organizations running Oracle Fusion Middleware and Oracle Identity Manager should urgently deploy the latest Oracle Critical Patch Update, review external exposure of identity services, and monitor for suspicious access to administrative APIs and scripting features.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.