Critical Flaw in Oracle Identity Manager Under Exploitation
Summary
A critical remote code execution (RCE) vulnerability, CVE-2025-61757, in Oracle Identity Manager (part of Oracle Fusion Middleware) is being actively exploited. The flaw — scored 9.8 CVSS — was disclosed and patched by Oracle on 21 October as part of its monthly update. AssetNote/Searchlight Cyber researchers Adam Kues and Shubham Shah published a technical analysis showing the vulnerability is easily exploitable; CISA has added it to its Known Exploited Vulnerabilities (KEV) catalogue.
Key Points
- CVE-2025-61757 is a pre-authentication RCE in Oracle Identity Manager impacting Oracle Fusion Middleware.
- The vulnerability carries a 9.8 CVSS score and is confirmed to be exploited in the wild.
- Researchers bypassed authentication using web-route and GET-parameter quirks — in some cases simply by adding a semicolon to the URL.
- Discovery follows earlier Oracle Cloud breaches and extortion campaigns against Oracle products, raising urgency for affected customers.
- CISA added the flaw to the KEV catalogue; US federal civilian agencies have a patching deadline of 12 December.
Content Summary
AssetNote researchers examined Oracle software after a prior Oracle Cloud breach and found exposed REST management APIs in Identity Manager containing dangerous functionality. Logical flaws in Java request-URI handling and matrix parameters allowed authentication filters to be bypassed, enabling pre-auth RCE. Oracle issued a patch on 21 October among hundreds of fixes, but exploitation is now observed in the wild. Organisations using Oracle Identity Manager or Fusion Middleware should prioritise applying Oracle’s security updates immediately.
Context and Relevance
This vulnerability is significant because it affects a central identity and access management component that, if compromised, can grant attackers broad access to enterprise environments. It ties into an ongoing pattern: earlier in the year Oracle Cloud suffered a breach tied to an older flaw, and more recently Oracle E-Business Suite customers faced extortion and data theft. With CISA adding CVE-2025-61757 to KEV and active exploitation reported, the risk is both credible and time-sensitive.
Why should I read this?
Quick and blunt: if you run Oracle Identity Manager or any Oracle Fusion Middleware, this is one to act on now. The bug is easy to exploit, giving attackers RCE without authentication — yes, really. We’ve done the reading for you: patch, verify your exposure, and hunt for indicators of compromise.
Author’s take
Punchy summary: a high-severity RCE in a core identity product, exploited in the wild, following a string of Oracle incidents — don’t delay.