CVE-2025-61757: Critical Oracle Identity Manager Vulnerability Under Active Exploitation

Overview

In October 2025, a critical vulnerability was disclosed in Oracle Identity Manager (OIM), identified as CVE-2025-61757. The flaw resides in OIM’s REST WebServices component, where a missing authentication check allows an unauthenticated attacker to access sensitive API endpoints and trigger privileged operations.

The vulnerability affects OIM versions 12.2.1.4.0 and 14.1.2.1.0, carries a CVSS score of 9.8, and enables pre-authentication remote code execution (RCE). Shortly after disclosure, exploitation attempts were observed in the wild, prompting CISA to add it to the Known Exploited Vulnerabilities (KEV) catalog.

Because OIM is often deployed at the core of enterprise identity governance, this vulnerability provides attackers with an extremely powerful pivot point inside an organization.

How it works

The issue stems from how OIM handles filtering and classification of REST WebServices endpoints. Certain path manipulation techniques-such as appending .wadl, ?WSDL, or similar metadata-file indicators - cause the application’s authentication filter to incorrectly categorize the request as non-protected.

When this happens, protected internal endpoints become reachable without credentials. One of those endpoints is related to Groovy script validation, which compiles Groovy code for syntax checking. By submitting a crafted POST request containing a Groovy annotation that executes arbitrary code during compilation, attackers can achieve full remote code execution on the server.

This exploit chain requires: no credentials, no user interaction, and only network access to the affected REST endpoint. Because of these conditions, the attack is trivial to automate and highly reliable.

Risks

1. Full system compromise
Attackers can run arbitrary code, create persistence, deploy malware, modify configurations, or use the host to pivot across the network.

2. Identity and access manipulation
OIM governs account creation, permissions, and provisioning. An attacker can create privileged accounts, escalate rights, disable MFA, or impersonate high-value users.

3. Lateral movement across enterprise systems
Since identity platforms sit in the center of authentication flows, compromising OIM often means access to databases, cloud applications, ERP systems, and more.

4. Data exfiltration or destruction
Any system relying on OIM for authentication becomes a potential target for data theft, tampering, or service disruption.

5. Long-term persistence
Manipulating identity workflows enables attackers to remain hidden even after patches are deployed.

Real-life example usage

Multiple security intelligence sources confirmed that CVE-2025-61757 was actively exploited before Oracle’s October 2025 patch was released.

Honeypots observed threat actors issuing crafted POST requests to endpoints such as:

/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl

This exact pattern aligns with the known proof-of-concept exploit and confirms real-world attempts to bypass authentication and trigger the Groovy script processing engine. Activity spikes were detected from August through early September 2025.

After verification of malicious use, CISA added the vulnerability to the KEV catalog, requiring US federal agencies to patch by December 12, 2025.

Recommendations

Patch immediately
Oracle issued fixes for the affected versions in the October 2025 Critical Patch Update. This is the only reliable mitigation.

Restrict or isolate exposed endpoints
Until patching is complete, block public and internal untrusted access to OIM REST WebServices using firewalls, reverse proxies, or segmentation.

Review logs for suspicious endpoint patterns
Look for requests ending in .wadl, ?WSDL, or Groovy-related paths.

Audit identity and privileged accounts
Check for unauthorized accounts, altered provisioning rules, suspicious entitlements, or disabled MFA policies.

Assume possible compromise
Organizations that delayed patching or exposed OIM to the internet should consider a targeted compromise assessment, including forensic analysis and credential rotation.