The US Cybersecurity & Infrastructure Security Agency (CISA) has added a high-risk Oracle Identity Manager vulnerability (CVE-2025-61757) to its list of actively exploited vulnerabilities.
The flaw is a pre-authentication remote code execution (RCE) vulnerability stemming from an authentication bypass in Oracle Identity Manager’s REST APIs. The vulnerability exists due to improper input validation within the REST WebServices component. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
Once an attacker gains unauthenticated access, they can reach a Groovy script compilation endpoint. While typically not used to execute code, the endpoint can be abused to run malicious commands at compile time through Groovy’s annotation-processing mechanisms. Oracle patched the issue in its October 2025 security updates.
Searchlight Cyber published a technical report detailing the flaw and providing full exploitation information.
According to Johannes Ullrich, Dean of Research at the SANS Technology Institute, attackers may have been exploiting the flaw as early as August 30, well before the patch became available.
All organizations using Oracle Identity Manager are strongly advised to apply the October patches as soon as possible and to check systems for potential compromise.