Active Exploitation of Critical Oracle Identity Manager Vulnerability
A critical vulnerability in Oracle Identity Manager, identified as CVE-2025-61757 and rated 9.8 on the CVSS scale, is being actively exploited by threat actors. The flaw affects Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0, allowing unauthenticated attackers to remotely execute code via the Oracle REST Web Services component. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about ongoing exploitation, and researchers from Searchlight Cyber have detailed how attackers can bypass authentication by appending specific strings such as ?WSDL or ;.wadl to REST endpoints.
Organizations using affected Oracle Identity Manager versions are urged to apply the vendor's recent patches immediately to mitigate the risk of compromise. The vulnerability's active exploitation highlights the importance of timely patch management and monitoring for unusual activity on exposed Oracle REST Web Services endpoints. Security teams should review their systems for signs of unauthorized access and ensure that all mitigations recommended by Oracle and CISA are implemented without delay.
Timeline
Nov 27, 2025
Campbell's CISO fired after lawsuit and leaked audio
Campbell's dismissed its chief information security officer following a lawsuit and the emergence of leaked audio tied to the dispute.
Nov 27, 2025
FBI reports $262 million in bank account takeover fraud losses
The FBI warned of a surge in bank account takeover fraud schemes, saying reported losses had reached $262 million.
Nov 27, 2025
FCC fines Comcast $1.5 million over vendor breach affecting subscribers
The FCC imposed a $1.5 million penalty on Comcast after a vendor breach exposed personally identifiable information of more than 237,000 subscribers.
Nov 27, 2025
Vendor breach exposes Iberia data and triggers Everest extortion claim
Spanish airline Iberia disclosed a breach involving a third-party vendor, and the Everest Group claimed responsibility while attempting to extort the company.
Nov 27, 2025
High-severity DoS flaw disclosed in Shelly Pro 4PM smart relays
A high-severity denial-of-service vulnerability was reported in Shelly Pro 4PM smart relays, adding to the week's notable product security issues.
Nov 27, 2025
Cloud providers release patches for five critical Fluent Bit flaws
Major cloud providers patched five critical vulnerabilities in the Fluent Bit log processor to reduce exposure for customers using affected components.
Nov 27, 2025
Shai-Hulud 2.0 npm supply chain attack compromises 600+ packages
The Shai-Hulud 2.0 campaign compromised more than 600 npm packages, leaked thousands of secrets, and affected hundreds of organizations using advanced evasion and propagation techniques.
Nov 27, 2025
CISA urges immediate patching for exploited Oracle Identity Manager bug
CISA issued urgent guidance directing organizations to patch CVE-2025-61757 after reports of active exploitation of the Oracle Identity Manager vulnerability.
Nov 27, 2025
Attackers begin exploiting CVE-2025-61757 in the wild
Security reporting indicated that the recently patched Oracle Identity Manager flaw was already under active exploitation, increasing urgency for organizations to apply updates.
Nov 27, 2025
Oracle patches critical Oracle Identity Manager flaw CVE-2025-61757
Oracle released a fix for CVE-2025-61757 in Oracle Identity Manager, a critical 9.8 CVSS vulnerability that allows unauthenticated remote code execution through REST Web Services.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Sources
Related Stories
Oracle Warns of Critical Unauthenticated RCE in Identity Manager and Web Services Manager
Oracle issued an out-of-band Security Alert for `CVE-2026-21992`, a critical unauthenticated remote code execution flaw affecting Oracle Fusion Middleware deployments that use Oracle Identity Manager and Oracle Web Services Manager. The vulnerability carries a CVSS 3.1 score of **9.8** and can be exploited remotely over the network with low complexity and no user interaction, raising particular concern for internet-facing systems. Oracle said the flaw affects the REST Web Services component in Oracle Identity Manager and the Web Services Security module in Oracle Web Services Manager. Successful exploitation could result in full system compromise, including credential theft and lateral movement, and the company urged customers to apply available patches immediately. Oracle also warned that organizations running unsupported versions should upgrade to supported releases, as fixes are only provided under Premier Support or Extended Support.
1 months ago
Critical RCE Vulnerability in Oracle Fusion Middleware (CVE-2025-61757)
A critical vulnerability, CVE-2025-61757, has been identified in Oracle Fusion Middleware's Identity Manager component, allowing remote, unauthenticated attackers to achieve arbitrary remote code execution. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation and urging all organizations, especially those in the federal sector, to prioritize remediation. The affected versions include Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0, and exploitation could result in complete system compromise. Security researchers recommend immediate upgrades to patched versions to mitigate risk. Tools such as runZero can assist organizations in identifying vulnerable Oracle Identity Manager installations using queries like `vendor:="Oracle" product:="Identity Manager"`. CISA's Binding Operational Directive 22-01 mandates federal agencies to remediate KEV-listed vulnerabilities by specified deadlines, but all organizations are strongly encouraged to address this critical issue promptly to reduce exposure to active threats.
1 months ago
Oracle Identity Manager Connector Flaws Expose Critical Data to Unauthenticated Attackers
Oracle disclosed three high-severity vulnerabilities in the Oracle Identity Manager Connector component of Oracle Fusion Middleware, tracked as **`CVE-2026-34285`**, **`CVE-2026-34286`**, and **`CVE-2026-34287`**. The flaws affect supported version **`12.2.1.4.0`** and are described as easily exploitable by unauthenticated attackers with network access over **HTTPS**, including issues in the product's **Core** component. Successful exploitation could allow attackers to create, delete, or modify critical data and gain unauthorized access to sensitive information, including potentially complete access to all data reachable through the Oracle Identity Manager Connector. Oracle assigned each vulnerability a **CVSS v3.1 score of 9.1**, citing high confidentiality and integrity impact with no availability impact, and referenced the issues in its **Critical Patch Update** advisory.
2 weeks ago