CISA has released an alert about a critical security flaw in Oracle Identity Manager that is now being actively exploited. The vulnerability is tracked as CVE-2025-61757 and carries a CVSS score of 9.8.
Zero-Day Vulnerability in Oracle Identity Manager
CVE-2025-61757 is a missing authentication flaw in a key function. Because of this issue, attackers can execute remote code without logging in. The vulnerability affects the following versions:
- 12.2.1.4.0
- 14.1.2.1.0
Oracle already released a patch for this problem in last month’s quarterly update.
Impact of the Attack
According to researchers at Searchlight Cyber, attackers can use this flaw to:
- access APIs without authentication
- manipulate the login flow
- escalate privileges
- move laterally into an organization’s core systems
The issue occurs because attackers can bypass security filters by adding simple parameters—such as ?WSDL or ;.wadl—to protected URLs.
Exploitation Already Observed
Honeypot logs have detected attempts to access sensitive endpoints since late August 2025. This activity shows that exploitation started before the official patch was released.
Security Recommendations
CISA urges all organizations to:
- install the latest Oracle updates immediately
- review all production systems
- monitor for suspicious API activity
For U.S. government agencies, applying the patch is mandatory by December 12, 2025.
Source: https://thehackernews.com/2025/11/cisa-warns-of-actively-exploited.html