CISA Alerts on Oracle Identity Manager RCE Flaw Being Actively Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical remote code execution vulnerability in Oracle Identity Manager that threat actors are actively exploiting.

The flaw, tracked as CVE-2025-61757, allows unauthenticated attackers to completely take over vulnerable systems without needing any login credentials.

CVE ID	Affected Product	CVSS Score	Impact
CVE-2025-61757	Oracle Fusion Middleware (Oracle Identity Manager)	Critical (Pre-Auth RCE)	Remote Code Execution, Complete System Takeover

Critical Pre-Authentication Vulnerability Discovered

Security researchers at Searchlight Cyber discovered this severe vulnerability in Oracle’s Identity Management software, which is widely used by hundreds of enterprises and government organizations to protect user credentials and manage digital identities.

The flaw affects Oracle Fusion Middleware and involves a missing authentication check that allows remote attackers to gain complete control over Identity Manager installations.

The vulnerability is set against a significant historical context. In January 2025, Oracle Cloud’s login service was breached, compromising 6 million records and affecting over 140,000 Oracle Cloud tenants.

That breach exploited an older vulnerability, demonstrating the serious consequences when Oracle’s identity management systems are compromised.

The newly discovered CVE-2025-61757 could have similarly breached those same systems, as it affects both Oracle Access Manager and Oracle Identity Manager components.

What makes this vulnerability particularly dangerous is its pre-authentication nature. Attackers do not need valid credentials or prior access to exploit the system.

The flaw lies in how the software’s security filters handle authentication checks, allowing threat actors to bypass these protections entirely by crafting specially crafted web requests.

Researchers found that Oracle Identity Manager uses a central security filter that can be bypassed by manipulating request parameters.

By adding specific strings to web addresses, attackers can trick the authentication system into granting access to restricted administrative functions.

Once past this security barrier, attackers discovered endpoints that compile Groovy scripts, which can be weaponized to achieve remote code execution.

The exploitation technique leverages Java annotation processors that execute during code compilation rather than at runtime.

This means attackers can run malicious code even when the compiled script itself never executes, making the vulnerability especially clever and difficult to defend against without proper patches.

CISA has added CVE-2025-61757 to its Known Exploited Vulnerabilities catalog, setting a remediation deadline of December 12, 2025, for federal agencies.

Organizations running Oracle Identity Manager must apply security patches immediately according to Oracle’s security advisories.

For systems where patches cannot be applied, CISA recommends following BOD 22-01 guidance for cloud services or discontinuing use of vulnerable products until proper mitigations are available.

The vulnerability remains under active exploitation, and security teams should prioritize patching efforts for any Oracle Identity Manager installations in their environments.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post CISA Alerts on Oracle Identity Manager RCE Flaw Being Actively Exploited appeared first on Cyber Security News.