The Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to immediately address a critical security flaw in Oracle Identity Manager following reports of active exploitation.
The vulnerability, tracked as CVE-2025-61757, allows unauthenticated remote attackers to execute arbitrary code on affected systems, posing a severe threat to enterprise and government networks.
This warning comes in the wake of a massive breach earlier this year involving Oracle Cloud’s own login service, which exposed over six million records.
Security researchers at Searchlight Cyber identified this vulnerability while analyzing the attack surface of Oracle Cloud’s login host. The investigation revealed that the same software stack compromised in January, specifically the Oracle Identity Governance Suite, contained a severe pre-authentication Remote Code Execution (RCE) flaw.
This discovery highlighted a critical oversight in how the application handled authentication filters, leaving hundreds of tenants vulnerable to complete compromise without requiring any valid credentials.
The vulnerability resides within the application’s SecurityFilter mechanism found in the web.xml configuration. This filter was designed to manage authentication checks but relied on a flawed regular expression whitelist.
Developers intended to allow unauthenticated access to Web Application Description Language (WADL) files, but the implementation failed to account for how Java interprets request Uniform Resource Identifiers (URIs).
Attackers can bypass authentication entirely by appending specific matrix parameters to the URL. The research team demonstrated that adding ;.wadl to a request URI tricks the server into treating the request as a harmless WADL retrieval while the underlying Java servlet processes it as a valid API call.
This logical discrepancy grants attackers unrestricted access to restricted REST endpoints, such as /iam/governance/applicationmanagement.
Once authentication is bypassed, threat actors can leverage the groovyscriptstatus endpoint to achieve code execution. Although this endpoint is intended only to syntax-check Groovy scripts without running them, it does perform compilation.
By injecting a script containing the @ASTTest annotation, attackers can force the Java compiler to execute arbitrary code during the compilation phase. This technique effectively turns a syntax checker into a fully functional remote shell, granting control over the host system.
This vulnerability is particularly dangerous because it requires no prior access or credentials. The combination of a trivial authentication bypass and a reliable method for code execution makes it an attractive target for ransomware groups and state-sponsored actors.
Organizations running Oracle Identity Governance Suite 12c are advised to apply the relevant patches immediately or isolate the affected services from the public internet.
| CVE ID | Affected Product | Vulnerability Type | Impact | Severity |
|---|---|---|---|---|
| CVE-2025-61757 | Oracle Identity Governance Suite 12c (12.2.1.4.0) | Pre-Authentication RCE | Remote Code Execution, Full System Compromise | Critical (9.8) |
| CVE-2021-35587 | Oracle Access Manager | Pre-Authentication RCE | Data Exfiltration, Tenant Compromise | Critical |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
