The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw affecting Oracle Identity Manager to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability in question is CVE-2025-61757 (CVSS score: 9.8), which could result in missing authentication for a critical function, potentially leading to pre-authenticated remote code execution. This vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0. This issue was addressed by Oracle as part of a quarterly update released last month.
“Oracle Fusion Middleware lacks authentication for vulnerabilities in critical functionality that could allow an unauthenticated, remote attacker to take over Identity Manager,” CISA said.
Searchlight Cyber researchers Adam Cuse and Shubham Shah, who discovered the flaw, said the vulnerability could allow attackers to gain access to API endpoints, allowing them to “manipulate authentication flows, escalate privileges, and move laterally across an organization’s core systems.”
Specifically, this is due to a security filter bypass that tricks protected endpoints into treating them as publicly accessible by simply appending “?WSDL” or “;.wadl” to any URI. This is the result of a flaw in the allow list mechanism, which is based on regular expressions or string matching against the request URI.
“This system is highly error-prone, and there are usually ways to trick these filters into believing you are accessing an unauthenticated route,” the researchers noted.
Authentication bypass can then be combined with a request to the “/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus” endpoint to achieve remote code execution by sending a specially crafted HTTP POST. Although this endpoint is only intended to check the syntax of Groovy code and not execute it, Searchlight Cyber says that it “allows you to create Groovy annotations that are executed at compile time, even if the compiled code is not actually executed.”
CVE-2025-61757 was added to the KEV Catalog by Johannes B. Ullrich, Director of Research at SANS Technology Institute, based on analysis of honeypot logs that revealed that an exploit was detected via an HTTP POST request between August 30th and September 9th. This comes days after the company announced that several attempts were made to access the URL /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl. 2025.
“Several different IP addresses are doing the scanning, but they’re all using the same user agent, which suggests we may be dealing with a single attacker,” Ulrich said. “Unfortunately, the bodies of these requests were not captured, but they were all POST requests. The content length header indicated a 556-byte payload.”
This indicates that this vulnerability could have been exploited as a zero-day vulnerability long before Oracle shipped a patch. The IP address from which the attempt originates is:
89.238.132[.]76 185.245.82[.]81 138.199.29[.]153
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies must apply the necessary patches by December 12, 2025 to protect their networks.
Source link
