CISA orders feds to patch Oracle Identity Manager zero-day after signs of abuse

Steven

CISA orders feds to patch Oracle Identity Manager zero-day after signs of abuse

Summary

CISA has directed US federal agencies to patch an actively exploited Oracle Identity Manager (OIM) vulnerability, CVE-2025-61757, by 12 December 2025. The flaw allows unauthenticated remote attackers with network access to bypass authentication and gain full system control. Searchlight Cyber researchers published a technical teardown describing how trivial the exploit is; SANS ISC logs indicate the exploit URL was observed in late August and early September, suggesting pre-patch reconnaissance or abuse prior to Oracle’s 21 October fix. Oracle’s advisory rated the issue critical but did not disclose clear in-the-wild telemetry. Agencies face compliance consequences if they miss the deadline.

Key Points

  • CVE-2025-61757 affects Oracle Identity Manager (part of Fusion Middleware) and enables remote, unauthenticated takeover.
  • CISA added the flaw to its Known Exploited Vulnerabilities catalogue and ordered federal patching by 12 December 2025.
  • Searchlight Cyber researchers describe exploitation as “trivial” — a single HTTP request can bypass authentication and achieve system-level control.
  • SANS ISC analysis found the exploit URL in logs between 30 August and 9 September, indicating likely pre-patch reconnaissance or use.
  • Oracle released a fix in its 21 October Critical Patch Update, but did not publicly indicate prior exploitation in its advisory.
  • Federal security teams now face a tight remediation window amid broader concerns about slow patch cycles for enterprise Oracle platforms.

Content summary

CISA’s emergency directive is aimed at closing a high-severity OIM zero-day that can be exploited without credentials. Public analysis from the discovery researchers and SANS ISC suggests attackers were probing or exploiting the issue before Oracle published its patch. Oracle’s patch notes were sparse about in-the-wild activity, leaving agencies to act on CISA’s guidance and researchers’ findings. The recommended mitigation is to apply Oracle’s 21 October Critical Patch Update immediately.

Context and relevance

This matters for any organisation running Oracle Fusion Middleware or Identity Manager: an easily exploitable, pre-patch zero-day on identity infrastructure can lead to full system compromise and lateral movement. The CISA order highlights the federal priority, but private sector and international organisations should treat the advisory as a red flag and remediate quickly. The story also follows a pattern of high-impact incidents involving Oracle products this year, underscoring persistent issues with patch lag and limited vendor telemetry.

Why should I read this?

Short version: if you manage Oracle kit, this is urgent. CISA has put a federal deadline on it, researchers say the exploit is trivial, and logs show attackers sniffing around before the patch. Skip this only if you don’t care about identity systems getting pwned.

Author style

Punchy: this is a high-stakes, time-sensitive security alert that demands action from ops and security teams now—don’t let identity infrastructure be the weak link.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/11/24/cisa_oracle_identity_manager/