ThreatLevelBeta
Planned Fix

CVE-2025-61757

RCE via missing authentication in Oracle Identity Manager REST WebServices (pre-auth)
Loading...

Summary

CVE-2025-61757 is a critical pre-authentication vulnerability in Oracle Fusion Middleware's Identity Manager REST WebServices. A network-accessible attacker can bypass REST authentication by appending specific suffixes to REST URIs, reach a protected Groovy script endpoint, and trigger remote code execution, potentially taking over Identity Manager. Patches were released in Oracle's October 2025 CPU, and exploitation has been observed in the wild per credible threat intel and government advisories.

Why Planned Fix?

2/6
No authentication required
Deployment unknown
No user interaction needed
Default configuration unknown
No active exploitation or PoC
Not a high impact vulnerability

Exploitation Details

Type
update
Is exploitable with default configuration?
?
Is authentication needed?
No
PoC / Exploit
No
Impact

Full takeover of Oracle Identity Manager; remote code execution; privilege escalation; manipulation of identities and provisioning workflows.

Exploitation Requirements
  • No authentication required
  • REST WebServices endpoints exposed
  • access over HTTP
  • exploitable suffixes (?WSDL
  • .wadl) on URIs
Exploitation Process

An unauthenticated attacker can bypass the REST WebServices authentication by appending metadata suffixes such as ?WSDL or ;.wadl to REST URIs, then access protected endpoints (e.g., Groovy script compilation) and inject a Groovy annotation that executes at compile time, allowing remote code execution on the OIM server.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
0

Affected Software

Vendor:Oracle
ProductAffected Versions
Identity Manager12.2.1.4.0, 14.1.2.1.0
Description

Oracle Fusion Middleware Identity Manager (OIM) is an enterprise identity management system that automates provisioning, access governance, and lifecycle management for users across enterprise resources.

Deployment:
|
Protocol:HTTP
|
Ports:80, 443
Affected ComponentREST WebServices component of Oracle Identity Manager (OIM) within Oracle Fusion Middleware.

REST WebServices component of Oracle Identity Manager (OIM) within Oracle Fusion Middleware.

Affected Endpoints(2)/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl, /iam/governance/applicationmanagement/templates;.wadl…
1./iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl
2./iam/governance/applicationmanagement/templates;.wadl
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update

Not available

Threat Intelligence
EPSS Score84.2%

Probability of exploitation in the next 30 days

EPSS Percentile84%

Worse than 84% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules7
Other
POST requests to OIM REST endpoints without authentication
Other
Requests using .wadl suffix to bypass authentication
Other
Unusual POSTs to groovyscriptstatus with nonstandard payloads
Other
Threat hunting resource
Other
Threat hunting resource
Other
Threat hunting resource
Other
Threat hunting resource

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager.

CVSS Base Score

9.8
Critical

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:
|
NVD:CVE-2025-61757
|
Version From:12.2.1.4.0, 14.1.2.1.0
|
Version Upto:12.2.1.4.0, 14.1.2.1.0

Affected Software (CPE) (2)

  • cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:identity_manager:14.1.2.1.0:*:*:*:*:*:*:*

Sources

12
SourceArticle
nvd.nist.govhttps://nvd.nist.gov/vuln/detail/CVE-2025-61757
www.oracle.comhttps://www.oracle.com/security-alerts/cpuoct2025.html
www.oracle.comhttps://www.oracle.com/security-alerts/cpuoct2025verbose.html
horizon3.aihttps://horizon3.ai/attack-research/vulnerabilities/cve-2025-61757/
fidelissecurity.comhttps://fidelissecurity.com/vulnerabilities/cve-2025-61757/
www.ionix.iohttps://www.ionix.io/blog/cve-2025-61757-oracle-identity-manager/
www.purple-ops.iohttps://www.purple-ops.io/resources-hottest-cves/oracle-zero-day-cve-2025-61757/
www.cisa.govhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61757
isc.sans.eduhttps://isc.sans.edu/diary/rss/32506
advisories.ncsc.nlhttps://advisories.ncsc.nl/2025/ncsc-2025-0334-1.pdf
slcyber.iohttps://slcyber.io/research-center/breaking-oracles-identity-manager-pre-auth-rce/
www.securityweek.comhttps://www.securityweek.com

Priority History

Planned FixLoading...

Initial analysis