What is Oracle Identity Manager?
Oracle Identity Manager (OIM), part of Oracle Fusion Middleware, is an enterprise identity governance platform used by large organizations and government agencies to manage user provisioning, access rights, and identity lifecycle across IT systems. OIM controls who has access to what across the enterprise — from cloud applications to on-premises systems. Compromising OIM gives an attacker the ability to create privileged accounts, modify access rights, and gain a persistent foothold across all identity-governed systems. OIM's REST WebServices interface is often internet-accessible for integration purposes, making it an exposed attack surface.
Overview
CVE-2025-61757 is a missing authentication for critical function vulnerability (CWE-306) in Oracle Identity Manager's REST WebServices component. The application uses regex/string-matching to enforce authentication on URI paths, but attackers bypass this control by appending suffixes such as ?WSDL or ;.wadl to protected endpoints, causing the application to treat them as publicly accessible. The primary exploit path reaches a Groovy script endpoint that executes attacker-supplied Groovy code at compile time, achieving full server-side RCE. Zero-day exploitation was observed in honeypots as early as 30 August 2025 — over 50 days before the patch.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Oracle Identity Manager 12.2.1.4.0 | All builds before Oct 2025 CPU | Oracle October 2025 CPU |
| Oracle Identity Manager 14.1.2.1.0 | All builds before Oct 2025 CPU | Oracle October 2025 CPU |
Technical Details
The vulnerability (CWE-306: Missing Authentication for Critical Function) is in OIM's REST WebServices URI access control logic. The application uses regex or string-matching to determine which URIs require authentication. By appending query string suffixes (?WSDL) or path suffixes (;.wadl) to otherwise-protected endpoint URIs, attackers cause the access control check to evaluate the modified URI as unprotected.
The primary exploit path targets:
/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl
This endpoint is intended for Groovy script syntax validation. Attackers submit a malicious Groovy script as the "syntax check" payload. The Groovy compiler executes attacker-supplied annotations and static initializers at compile time — before any runtime check — enabling arbitrary code execution with the privileges of the OIM application server process (typically running with broad system access). Automated exploitation in the wild used uniform 556-byte POST payloads, indicating a weaponized tool or framework.
Discovery
Discovered by Adam Kues and Shubham Shah of Searchlight Cyber while investigating a separate Oracle Cloud breach. SANS Internet Storm Center honeypots recorded automated exploitation starting 30 August 2025.
Exploitation Context
Zero-day exploitation began on 30 August 2025 — over 50 days before Oracle's patch — with automated HTTP POST requests observed in SANS ISC honeypots targeting the Groovy script endpoint (activity continued through at least 9 September 2025). CISA added CVE-2025-61757 to the KEV catalog on 21 November 2025 and ordered federal agencies to patch, with The Register reporting: "CISA orders feds to patch Oracle Identity Manager zero-day." Horizon3.ai published a detailed attack path analysis confirming the pre-auth RCE. No specific threat actor has been publicly attributed, but the early, automated, organized exploitation indicates a sophisticated actor or criminal toolkit.
Remediation
- Apply the Oracle October 2025 Critical Patch Update to all Oracle Identity Manager deployments immediately.
- Verify patch application: confirm that OIM 12.2.1.4.0 and/or 14.1.2.1.0 builds reflect the October 2025 CPU version identifiers.
- Check for signs of compromise: search OIM logs for POST requests to
/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus(with or without;.wadlsuffix) from unexpected source IPs, particularly before October 2025. - Restrict OIM REST interface access: apply network firewall rules to limit access to the OIM REST WebServices interface to trusted integration partners and administrative subnets only. Do not expose OIM REST directly to the internet.
- Audit provisioned accounts: run an OIM reconciliation report and review recently created or modified accounts — attackers who achieved RCE may have provisioned backdoor accounts across managed systems.
- Rotate OIM admin credentials and review OIM connector credentials if compromise is suspected.
- Engage Oracle Support for forensic guidance specific to OIM if compromise is confirmed.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-61757 |
| Vendor / Product | Oracle — Fusion Middleware |
| NVD Published | 2025-10-21 |
| NVD Last Modified | 2025-11-24 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-306 find similar ↗ |
| CISA KEV Added | 2025-11-21 |
| CISA KEV Deadline | 2025-12-12 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-08-30 | Zero-day exploitation begins — SANS Internet Storm Center honeypots record first automated POST requests targeting the Groovy script endpoint |
| 2025-09-09 | Exploitation activity against honeypots continues; uniform 556-byte payloads observed |
| 2025-10-21 | Oracle October 2025 Critical Patch Update released; CVE published |
| 2025-11-21 | CISA adds to Known Exploited Vulnerabilities catalog |
| 2025-12-12 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Oracle Critical Patch Update — October 2025 | Vendor Advisory |
| NVD — CVE-2025-61757 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Horizon3.ai — CVE-2025-61757 Attack Research | Security Research |
| Imperva — Oracle Identity Manager Authentication Bypass Analysis | Security Research |
| The Register — CISA Orders Feds to Patch Oracle Identity Manager Zero-Day | News |