Critical RCE Vulnerability in Oracle Fusion Middleware (CVE-2025-61757)
A critical vulnerability, CVE-2025-61757, has been identified in Oracle Fusion Middleware's Identity Manager component, allowing remote, unauthenticated attackers to achieve arbitrary remote code execution. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation and urging all organizations, especially those in the federal sector, to prioritize remediation. The affected versions include Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0, and exploitation could result in complete system compromise.
Security researchers recommend immediate upgrades to patched versions to mitigate risk. Tools such as runZero can assist organizations in identifying vulnerable Oracle Identity Manager installations using queries like vendor:="Oracle" product:="Identity Manager". CISA's Binding Operational Directive 22-01 mandates federal agencies to remediate KEV-listed vulnerabilities by specified deadlines, but all organizations are strongly encouraged to address this critical issue promptly to reduce exposure to active threats.
Timeline
Nov 21, 2025
CISA orders federal agencies to remediate CVE-2025-61757 by Dec. 12
Under Binding Operational Directive 22-01, CISA required Federal Civilian Executive Branch agencies to patch or otherwise remediate the KEV-listed Oracle Identity Manager vulnerability by 2025-12-12.
Nov 21, 2025
CISA adds Oracle OIM flaw CVE-2025-61757 to KEV catalog
On 2025-11-21, CISA added CVE-2025-61757 to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The agency identified it as an Oracle Fusion Middleware missing-authentication flaw posing significant risk.
Nov 21, 2025
Researchers publish technical analysis and PoC for CVE-2025-61757
Searchlight Cyber publicly released technical details and a proof-of-concept exploit for CVE-2025-61757, showing how crafted requests such as '.wadl' or related URI manipulation can bypass authentication and reach code-execution functionality.
Oct 21, 2025
Oracle patches CVE-2025-61757 in October Critical Patch Update
Oracle disclosed and fixed CVE-2025-61757 on 2025-10-21 as part of its October 2025 Critical Patch Update. The critical flaw affects Oracle Identity Manager and can allow unauthenticated remote code execution.
Aug 30, 2025
Attackers scan and likely exploit Oracle OIM flaw before disclosure
SANS Internet Storm Center observed traffic targeting the vulnerable Oracle Identity Manager endpoint between 2025-08-30 and 2025-09-09, suggesting reconnaissance and possible zero-day exploitation before a patch was available.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
4 more from sources like cisa advisories, bleeping computer, scworld and runzero blog
Related Stories
Oracle Warns of Critical Unauthenticated RCE in Identity Manager and Web Services Manager
Oracle issued an out-of-band Security Alert for `CVE-2026-21992`, a critical unauthenticated remote code execution flaw affecting Oracle Fusion Middleware deployments that use Oracle Identity Manager and Oracle Web Services Manager. The vulnerability carries a CVSS 3.1 score of **9.8** and can be exploited remotely over the network with low complexity and no user interaction, raising particular concern for internet-facing systems. Oracle said the flaw affects the REST Web Services component in Oracle Identity Manager and the Web Services Security module in Oracle Web Services Manager. Successful exploitation could result in full system compromise, including credential theft and lateral movement, and the company urged customers to apply available patches immediately. Oracle also warned that organizations running unsupported versions should upgrade to supported releases, as fixes are only provided under Premier Support or Extended Support.
1 months ago
Active Exploitation of Critical Oracle Identity Manager Vulnerability
A critical vulnerability in Oracle Identity Manager, identified as CVE-2025-61757 and rated 9.8 on the CVSS scale, is being actively exploited by threat actors. The flaw affects Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0, allowing unauthenticated attackers to remotely execute code via the Oracle REST Web Services component. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about ongoing exploitation, and researchers from Searchlight Cyber have detailed how attackers can bypass authentication by appending specific strings such as `?WSDL` or `;.wadl` to REST endpoints. Organizations using affected Oracle Identity Manager versions are urged to apply the vendor's recent patches immediately to mitigate the risk of compromise. The vulnerability's active exploitation highlights the importance of timely patch management and monitoring for unusual activity on exposed Oracle REST Web Services endpoints. Security teams should review their systems for signs of unauthorized access and ensure that all mitigations recommended by Oracle and CISA are implemented without delay.
1 months ago
Oracle Identity Manager Connector Flaws Expose Critical Data to Unauthenticated Attackers
Oracle disclosed three high-severity vulnerabilities in the Oracle Identity Manager Connector component of Oracle Fusion Middleware, tracked as **`CVE-2026-34285`**, **`CVE-2026-34286`**, and **`CVE-2026-34287`**. The flaws affect supported version **`12.2.1.4.0`** and are described as easily exploitable by unauthenticated attackers with network access over **HTTPS**, including issues in the product's **Core** component. Successful exploitation could allow attackers to create, delete, or modify critical data and gain unauthorized access to sensitive information, including potentially complete access to all data reachable through the Oracle Identity Manager Connector. Oracle assigned each vulnerability a **CVSS v3.1 score of 9.1**, citing high confidentiality and integrity impact with no availability impact, and referenced the issues in its **Critical Patch Update** advisory.
2 weeks ago