CISA KEV Alert: Actively Exploited Oracle RCE Flaw Allows Full System Takeover

CISA Adds Critical Oracle Identity Manager RCE Vulnerability (CVE-2025-61757) to KEV Catalog

CRITICAL
November 22, 2025
5m read
VulnerabilityPatch ManagementThreat Intelligence

Related Entities

Organizations

CISA Oracle Searchlight CyberSANS Technology InstituteFederal Civilian Executive Branch (FCEB)

CVE Identifiers

CVE-2025-61757
CRITICAL
CVSS:9.8
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1210Lateral Movement

Exploitation of Remote Services

T1068Privilege Escalation

Exploitation for Privilege Escalation

T1059.006Execution

Command and Scripting Interpreter: Python

Full Report

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning regarding CVE-2025-61757, a remote code execution (RCE) vulnerability in Oracle Fusion Middleware Identity Manager. The flaw, rated 9.8 out of 10.0 on the CVSS scale, is being actively exploited in the wild, leading to its addition to CISA's Known Exploited Vulnerabilities (KEV) catalog. The vulnerability allows a remote, unauthenticated attacker to completely compromise affected systems. It impacts Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0. Due to the confirmed exploitation and severe risk, CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies must apply Oracle's patch, released in October 2025, by December 12, 2025. All organizations using the affected software are urged to patch immediately.

Vulnerability Details

The vulnerability, CVE-2025-61757, is a combination of two distinct issues that can be chained together to achieve pre-authentication RCE.

  1. Authentication Bypass: The root cause is a "missing authentication for critical function" flaw. Researchers at Searchlight Cyber discovered that a security filter in Oracle Identity Manager could be tricked into treating protected REST API endpoints as public. An attacker can achieve this simply by appending a specific parameter, such as ?WSDL or ;.wadl, to the URL path of a protected resource. This bypasses the authentication check entirely.

  2. Code Injection: Once authentication is bypassed, the attacker can send a request to a normally protected Groovy script endpoint. This endpoint was intended for benign purposes like syntax checking. However, it is vulnerable to code injection through Groovy's annotation-processing features. An attacker can craft a malicious script that is executed at compile time on the server, leading to arbitrary code execution.

The combination of these two flaws makes the exploit "somewhat trivial," according to researchers, as it does not require any credentials or user interaction.

Exploitation Status

CISA has confirmed active exploitation of CVE-2025-61757. This is corroborated by researchers at the SANS Technology Institute, who observed multiple HTTP POST requests targeting the vulnerable endpoint between August 30 and September 9, 2025. These attempts occurred weeks before Oracle released a patch on October 21, 2025, indicating the vulnerability was exploited as a zero-day. The scans originated from multiple IP addresses but shared a common user agent, suggesting a single threat actor was likely behind the initial exploitation campaign. The addition of the flaw to the KEV catalog underscores the immediate and ongoing threat.

Affected Systems

Organizations using these specific versions are highly vulnerable and should prioritize remediation.

Impact Assessment

A successful exploit of CVE-2025-61757 grants an attacker complete control over the underlying Oracle Identity Manager server. As an identity and access management (IAM) solution, this system is a high-value target. A compromise could lead to:

  • Creation of rogue administrator accounts.
  • Modification or theft of all user credentials managed by the system.
  • Lateral movement into other integrated enterprise applications.
  • Complete loss of confidentiality, integrity, and availability of the IAM infrastructure.

For government agencies and large enterprises that rely on this product, a compromise could be catastrophic, enabling widespread unauthorized access across the organization's entire IT landscape.

IOCs

Type Value Description
ip_address_v4 89.238.132.76 Source IP observed in scanning activity.
ip_address_v4 185.245.82.81 Source IP observed in scanning activity.
ip_address_v4 138.199.29.153 Source IP observed in scanning activity.

Cyber Observables for Detection

Type Value Description Context Confidence
url_pattern *?WSDL Exploitation attempts may include this string appended to a URL path to bypass authentication. WAF, Reverse Proxy Logs, Web Server Logs high
url_pattern *;.wadl An alternative string used in exploitation attempts to bypass authentication. WAF, Reverse Proxy Logs, Web Server Logs high
url_pattern */iam/admin/v1/GroovyScript The likely path to the vulnerable Groovy script endpoint. Monitor for POST requests to this path from unauthenticated sources. WAF, Web Server Logs high
process_name java.exe Suspicious child processes spawning from the main Oracle WebLogic Java process (e.g., cmd.exe, powershell.exe, /bin/sh). EDR, Host-based monitoring high

Detection Methods

Security teams should focus on both network and host-based detection.

  1. Web Log Analysis: Ingest web server, reverse proxy, and WAF logs into a SIEM. Create detection rules to alert on requests to Oracle Identity Manager paths that contain the ?WSDL or ;.wadl strings, especially if followed by a POST request to a script endpoint. This is a direct application of D3-NTA: Network Traffic Analysis.

  2. EDR Monitoring: On the Oracle server, monitor the Java process associated with WebLogic Server for any suspicious child process creation. The application should not be spawning shells or command-line interpreters. This falls under D3-PA: Process Analysis.

  3. Vulnerability Scanning: Use authenticated vulnerability scanners to check for the presence of vulnerable Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0.

Remediation Steps

The primary remediation is to apply the security updates released by Oracle in its October 2025 Critical Patch Update (CPU).

  1. Patch Immediately: Prioritize the deployment of the patch for CVE-2025-61757 on all internet-facing and internal Oracle Identity Manager instances. This is a form of D3-SU: Software Update.

  2. Workaround (Temporary): If patching is not immediately possible, implement strict access control rules on a WAF or reverse proxy to block any requests containing the patterns ?WSDL or ;.wadl directed at the Oracle Identity Manager application. This is a compensating control but should not replace patching. This is a form of D3-ITF: Inbound Traffic Filtering.

  3. Assume Compromise: Given the evidence of zero-day exploitation, organizations with vulnerable, internet-exposed systems should assume compromise and initiate threat hunting activities to look for signs of persistence or lateral movement.

Timeline of Events

1
August 30, 2025
Exploitation attempts targeting CVE-2025-61757 were first observed in the wild.
2
October 21, 2025
Oracle releases its quarterly Critical Patch Update, including a patch for CVE-2025-61757.
3
November 21, 2025
CISA adds CVE-2025-61757 to its Known Exploited Vulnerabilities (KEV) catalog.
4
November 22, 2025
This article was published
5
December 12, 2025
CISA's deadline for U.S. federal agencies to apply the patch for CVE-2025-61757.

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

The most effective mitigation is to apply the security patches provided by Oracle immediately.

Mapped D3FEND Techniques:

D3-SU

Filter Network Traffic

M1037enterprise

Use a Web Application Firewall (WAF) to filter for malicious URL patterns as a temporary workaround.

Mapped D3FEND Techniques:

D3-NI

Behavior Prevention on Endpoint

M1040enterprise

Use an EDR to monitor for suspicious child processes spawned by the Oracle application server.

Mapped D3FEND Techniques:

D3-ANETD3-AZETD3-JFAPAD3-RAPAD3-SDAD3-UDTAD3-UGLPAD3-WSAA

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

The primary and most critical countermeasure against CVE-2025-61757 is the immediate application of the patch provided in Oracle's October 2025 Critical Patch Update. Given that this vulnerability is being actively exploited as a zero-day and is now part of the CISA KEV catalog, patching cannot be delayed. Organizations must activate their emergency patching procedures. Priority should be given to any internet-facing Oracle Identity Manager instances, as they are the most exposed. Following that, all internal instances must be patched to prevent lateral movement. Patching should be managed through a centralized patch management system to ensure complete coverage and verification. After deployment, run a vulnerability scan to confirm that the patch has been applied successfully and the vulnerability is no longer detected. Deferring this action poses an unacceptable risk of complete system compromise.

Inbound Traffic Filtering

D3-ITFMaps to MITREM1037
D3FEND

As a compensating control or a defense-in-depth measure, organizations should implement stringent inbound traffic filtering using a Web Application Firewall (WAF) positioned in front of their Oracle Identity Manager servers. A specific rule should be created to detect and block any HTTP requests to the application that contain the strings ?WSDL or ;.wadl in the URI. This virtual patch directly targets the authentication bypass vector of the exploit chain. While effective against the known public exploit method, attackers may discover alternative bypass strings, so this should not be considered a permanent fix. This WAF rule can serve as an immediate, temporary mitigation while the official Oracle patch is being tested and deployed, and it should be kept active even after patching to provide an additional layer of security against similar logic flaws in the future.

Sources & References

CISA Adds One Known Exploited Vulnerability to Catalog
CISA (cisa.gov) November 21, 2025
CISA warns Oracle Identity Manager RCE flaw is being actively exploited
BleepingComputer (bleepingcomputer.com) November 21, 2025
CISA Warns of Actively Exploited Critical Oracle Identity Manager Zero-Day Vulnerability
The Hacker News (thehackernews.com) November 22, 2025
U.S. CISA adds an Oracle Fusion Middleware flaw to its Known Exploited Vulnerabilities catalog
Security Affairs (securityaffairs.com) November 22, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

CVE-2025-61757OracleRCEZero-DayCISAKEVVulnerabilityPatch Management

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next