.png){kind=logo}
Critical Zero-Day Exploited in Oracle Identity Manager (CVE-2025-61757): Pre-Auth RCE Vulnerability Analysis and Mitigation
- Rescana
- 4h
- 5 min read
Executive Summary
A critical vulnerability, tracked as CVE-2025-61757, has been identified in Oracle Identity Manager (OIM), a core component of the Oracle Fusion Middleware suite. This flaw, rated with a CVSS score of 9.8, enables unauthenticated remote attackers to achieve pre-authenticated remote code execution (RCE) on affected OIM instances. The vulnerability arises from a missing authentication check on a critical function, allowing attackers to bypass security controls and execute arbitrary code. Evidence from multiple security research groups and public honeypots indicates that this flaw has been exploited as a zero-day in the wild, with active campaigns observed prior to the release of Oracle’s official patch in October 2025. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency for immediate remediation. Organizations leveraging Oracle Identity Manager are strongly advised to prioritize patching, enhance monitoring, and conduct thorough threat hunting to mitigate the risk of compromise.
Threat Actor Profile
Attribution for the exploitation of CVE-2025-61757 remains inconclusive as of this report. The observed attack patterns, including the use of a zero-day exploit and coordinated scanning from multiple IP addresses, suggest the involvement of a well-resourced and technically sophisticated threat actor. While no specific Advanced Persistent Threat (APT) group has been publicly linked to these campaigns, the operational security and technical proficiency displayed are consistent with state-sponsored or highly organized cybercriminal entities. The attacks have leveraged custom tooling and consistent user-agent strings, indicating a deliberate and targeted approach rather than opportunistic exploitation. The lack of sector or geography-specific targeting further points to a broad reconnaissance and exploitation campaign, likely aimed at maximizing access to high-value enterprise and government environments where Oracle Identity Manager is widely deployed.
Technical Analysis of Malware/TTPs
The exploitation of CVE-2025-61757 hinges on a logic flaw in the authentication mechanism of the Oracle Identity Manager REST WebServices component. The vulnerability is rooted in the improper handling of URI patterns, specifically the application’s reliance on regular expressions or string matching to determine access control. By appending ?WSDL or ;.wadl to the URI of protected endpoints, attackers can subvert the allow-list mechanism, causing the application to treat sensitive endpoints as publicly accessible.
The primary attack vector involves sending a specially crafted HTTP POST request to the endpoint /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus with the ;.wadl suffix. This endpoint, intended for Groovy script syntax checking, can be abused to execute arbitrary Groovy code at compile time via malicious annotations. Security researchers from Searchlight Cyber and Assetnote have demonstrated proof-of-concept exploits that leverage Groovy annotation processing to achieve RCE, even though the endpoint is not designed to execute code directly.
The technical flow of exploitation is as follows: the attacker crafts a POST request to the vulnerable endpoint, appending ;.wadl to bypass authentication. The payload contains a Groovy annotation that is evaluated during compilation, resulting in the execution of attacker-controlled code on the OIM server. This technique is highly effective, as it does not require valid credentials and can be executed remotely over HTTP or HTTPS.
Indicators of compromise associated with this attack include POST requests with a content length of 556 bytes to the aforementioned endpoint, originating from IP addresses such as 89.238.132.76, 185.245.82.81, and 138.199.29.153. The user-agent string observed in these attacks is consistent, further supporting the hypothesis of a coordinated campaign.
Exploitation in the Wild
Active exploitation of CVE-2025-61757 was first observed in honeypot environments as early as August 30, 2025, predating Oracle’s public disclosure and patch release. Attackers have been detected scanning for and targeting the vulnerable endpoint across a wide range of internet-facing OIM instances. The attack pattern is characterized by automated POST requests to /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl, with a uniform payload size and user-agent string.
Security telemetry and incident reports indicate that exploitation attempts have been global in scope, with no clear preference for specific sectors or geographies. The rapid adoption of the exploit by multiple threat actors following public disclosure has led to a surge in attack volume, increasing the risk of compromise for unpatched systems. The inclusion of this vulnerability in the CISA KEV catalog further corroborates its active exploitation and the critical need for immediate remediation.
Victimology and Targeting
While no sector-specific targeting has been conclusively identified, the widespread deployment of Oracle Identity Manager in sectors such as finance, government, healthcare, and large enterprises makes organizations in these verticals particularly attractive targets. The nature of the vulnerability—pre-authentication RCE—means that any internet-exposed OIM instance running affected versions (12.2.1.4.0 and 14.1.2.1.0) is at risk, regardless of organizational size or industry.
Analysis of attack telemetry suggests that the initial wave of exploitation was opportunistic, with attackers scanning large IP ranges for vulnerable endpoints. However, the sophistication of the exploit and the potential for post-exploitation lateral movement raise concerns about targeted follow-on activity, especially in environments where OIM is integrated with critical identity and access management workflows.
Mitigation and Countermeasures
Immediate action is required to mitigate the risk posed by CVE-2025-61757. Organizations should apply the October 2025 Oracle Critical Patch Update to all affected Oracle Identity Manager instances without delay. In addition to patching, security teams should implement enhanced network monitoring to detect POST requests to /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus and its variants with ?WSDL or ;.wadl suffixes.
Connections from known malicious IP addresses, including 89.238.132.76, 185.245.82.81, and 138.199.29.153, should be blocked and investigated for signs of compromise. Comprehensive log reviews are essential to identify unauthorized access or suspicious activity involving the vulnerable endpoint, particularly requests with a content length of 556 bytes and the observed user-agent string.
Proactive threat hunting is recommended to detect lateral movement or privilege escalation originating from compromised OIM systems. Security teams should also review and harden access controls for all internet-facing OIM endpoints, ensuring that only authorized users can access sensitive functions. Where possible, restrict access to OIM management interfaces to trusted networks and implement multi-factor authentication for administrative accounts.
References
About Rescana
Rescana is a leader in third-party risk management (TPRM) and cyber risk intelligence. Our platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their extended supply chain and digital ecosystem. By leveraging advanced analytics and real-time threat intelligence, Rescana enables security teams to proactively identify vulnerabilities, prioritize remediation efforts, and strengthen their overall security posture. For more information about how Rescana can help your organization manage cyber risk, we invite you to contact us at ops@rescana.com. We are happy to answer any questions you may have.