The United States Cybersecurity and Infrastructure Security Agency (CISA) has added a newly discovered critical flaw in Oracle Identity Manager to its Known Exploited Vulnerabilities (KEV) catalog. The agency confirmed that the vulnerability is currently being exploited in real world attacks.
The flaw is tracked as CVE 2025 61757 with a CVSS score of 9.8. It is a missing authentication issue in a critical function that allows an attacker to execute remote code without needing any login credentials. The weakness affects Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0. Oracle issued patches for the problem in its quarterly update last month.
According to CISA, unauthenticated attackers can take control of Oracle Identity Manager by exploiting this security gap.
Researchers Adam Kues and Shubham Shah from Searchlight Cyber, who discovered the issue, explained that attackers can abuse the bug to access protected API endpoints. Once inside, they may manipulate authentication processes, elevate privileges and move deeper into an organization’s systems.
Root Cause of the Vulnerability
The flaw exists because the system fails to enforce proper authentication checks. An attacker can add question mark WSDL or semicolon dot wadl to the end of a URL to trick Oracle Identity Manager into treating protected resources as publicly accessible.
This behavior is the result of an unreliable allow list mechanism that relies on string matching or regular expressions applied to the requested URI.
The researchers noted that this filtering process is often fragile and can be bypassed by crafting URLs in unexpected ways.
How Attackers Achieve Remote Code Execution
After bypassing authentication, attackers can send a crafted HTTP POST request to the following Oracle Identity Manager endpoint:
slash iam slash governance slash applicationmanagement slash api slash v1 slash applications slash groovyscriptstatus
This endpoint is supposed to validate the syntax of Groovy code only. However, Searchlight Cyber demonstrated that it is possible to create a Groovy annotation that executes during compilation time even though the final code is never officially executed. This allows remote code execution inside the system.
Evidence of Active Attacks Before Patching
CISA added the vulnerability to the KEV list shortly after Johannes B. Ullrich from the SANS Technology Institute revealed honeypot data indicating multiple exploitation attempts between August 30 and September 9, 2025.
Honeypots recorded repeated POST requests to the same vulnerable endpoint with the following URL pattern:
slash iam slash governance slash applicationmanagement slash api slash v1 slash applications slash groovyscriptstatus semicolon dot wadl
Ullrich reported that different IP addresses attempted the scan while using the same user agent string, suggesting a single attacker or a coordinated operation. Although the honeypot did not capture the full payloads, the content length header indicated a 556 byte POST body.
This strongly suggests that the flaw was exploited as a zero day long before Oracle released its official patches.
The identified IP addresses involved in the scans are:
89.238.132[.]76
185.245.82[.]81
138.199.29[.]153
Urgent Patching Required
Due to verified exploitation attempts, Federal Civilian Executive Branch agencies are required to deploy the security patches no later than December 12, 2025, to prevent compromise of their systems.
