CVE-2025-61757: Oracle Identity Manager Pre-Auth RCE Under Active Attack

Summary

CVE-2025-61757 represents a critical authentication-bypass vulnerability in Oracle Identity Manager (OIM) that enables unauthenticated remote code execution through improperly protected REST API endpoints. This Oracle Identity Manager vulnerability, assigned a CVSS score of 9.8, was actively exploited as a zero-day from August 30, 2025, months before Oracle released patches in the October 2025 Critical Patch Update. The CVE-2025-61757 vulnerability stems from weaknesses in Oracle Identity Manager’s SecurityFilter component, which relies on regex-based allow-listing instead of strict per-route access controls, allowing attackers to bypass authentication using simple URI manipulations such as appending ;.wadl or ?WSDL parameters to request URIs. Once authentication is bypassed through this Oracle Identity Manager flaw, threat actors can invoke internal management APIs, particularly a Groovy script compilation endpoint that enables remote code execution through compile-time annotation execution without requiring normal script execution. The zero-day exploitation of CVE-2025-61757 was confirmed by SANS Internet Storm Center honeypots between August 30 and September 9, 2025, demonstrating active targeting of vulnerable Oracle Identity Manager instances before patches were available. Organizations running affected Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 face severe risks of full system compromise, unauthorized access to identity-governed resources, and enterprise-wide credential theft. The pre-authentication nature of CVE-2025-61757 combined with its trivial exploitation method and confirmed zero-day exploitation status elevate this Oracle Identity Manager vulnerability to maximum priority for immediate remediation through patch deployment, exposure restriction, and enhanced monitoring.

Vulnerability Details

CVE-2025-61757 is a critical authentication-bypass vulnerability affecting Oracle Identity Manager, a core component of Oracle Fusion Middleware used for enterprise identity governance and access management. Assigned a CVSS score of 9.8, the Oracle Identity Manager vulnerability enables unauthenticated remote code execution through improperly protected REST API endpoints, creating severe risks for organizations relying on OIM for identity management. The CVE-2025-61757 vulnerability arises from fundamental weaknesses in Oracle Identity Manager’s SecurityFilter component, which implements regex-based allow-listing instead of strict per-route access controls for REST endpoint authentication.

The authentication bypass mechanism in CVE-2025-61757 allows attackers to append matrix parameters such as ;.wadl or query strings like ?WSDL to request URIs, causing the SecurityFilter to misclassify protected Oracle Identity Manager endpoints as publicly accessible. This trivial exploitation technique requires no sophisticated tools or advanced technical knowledge, making CVE-2025-61757 easily exploitable by threat actors with basic understanding of URI manipulation and REST API architecture. The regex-based filtering approach in Oracle Identity Manager fails to properly validate endpoint access, creating a fundamental security gap that bypasses all authentication requirements.

Once authentication is bypassed through CVE-2025-61757, attackers gain access to invoke internal management APIs within Oracle Identity Manager, most notably a Groovy script compilation endpoint originally intended only for syntax checking and validation. Although designed as a validation tool, this endpoint compiles submitted Groovy scripts, and Groovy’s native support for compile-time annotation execution allows malicious code to execute during the compilation process itself. This design flaw in Oracle Identity Manager enables adversaries to achieve remote code execution through CVE-2025-61757 without requiring the submitted script to execute normally, providing a direct pathway to full system compromise and unauthorized access to all identity-governed resources managed by the vulnerable OIM instance.

Evidence confirms CVE-2025-61757 was actively exploited as a zero-day vulnerability months before Oracle released security patches. SANS Internet Storm Center honeypots recorded active exploitation attempts against Oracle Identity Manager between August 30 and September 9, 2025, well before Oracle issued fixes in the October 2025 Critical Patch Update. Organizations running affected Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 face significant compromise risks if systems remain unpatched, especially when REST endpoints are exposed to the internet. The pre-authentication nature of CVE-2025-61757 over HTTP dramatically increases exposure for perimeter-accessible Oracle Identity Manager instances. The combination of trivial exploitation methodology, confirmed zero-day status, and active exploitation in the wild collectively elevate CVE-2025-61757 to maximum priority for immediate remediation across all Oracle Identity Manager deployments.

Recommendations

Organizations must immediately apply Oracle’s October 2025 Critical Patch Update to all affected Oracle Identity Manager instances to remediate CVE-2025-61757. This security update is the only definitive fix for the SecurityFilter authentication-bypass flaw in Oracle Identity Manager. Prioritize patching for systems with internet-facing REST endpoints, as these Oracle Identity Manager instances face the highest risk of CVE-2025-61757 exploitation due to the pre-authentication nature of the vulnerability.

Deploy compensating controls to block CVE-2025-61757 exploitation attempts while patches are being applied. Configure web application firewalls, reverse proxies, and load balancers to block or sanitize requests containing ;.wadl, .wadl, or ?WSDL patterns targeting Oracle Identity Manager endpoints. These URI patterns directly trigger the SecurityFilter regex bypass that enables unauthenticated access in CVE-2025-61757. Additionally, restrict or disable access to the Groovy script compilation endpoint (/groovyscriptstatus) and related Application Management APIs, as these Oracle Identity Manager endpoints enable remote code execution once authentication is bypassed through CVE-2025-61757.

Conduct comprehensive security reviews to identify CVE-2025-61757 exploitation attempts and assess Oracle Identity Manager compromise. Search HTTP access logs for requests ending in ;.wadl or ?WSDL, and particularly examine POST requests of approximately 556 bytes to the Groovy script status endpoint, as these are strong indicators of active CVE-2025-61757 exploitation attempts. Immediately isolate or firewall Oracle Identity Manager servers exposed to the public internet, as the pre-authentication nature of CVE-2025-61757 means any unauthenticated network access presents severe compromise risk. Organizations should assume potential breach and conduct thorough investigation of any Oracle Identity Manager instances that were internet-accessible during the August-October 2025 zero-day exploitation window.

Indicators of Compromise (IoCs)

IPv4 Addresses:

• 89[.]238[.]132[.]76
• 185[.]245[.]82[.]81
• 138[.]199[.]29[.]153

MITRE ATT&CK TTPs

Reconnaissance:

• T1595: Active Scanning
• T1595.002: Vulnerability Scanning

Resource Development:

• T1588: Obtain Capabilities
• T1588.005: Exploits
• T1588.006: Vulnerabilities

Initial Access:

• T1190: Exploit Public-Facing Application

Execution:

• T1059: Command and Scripting Interpreter
• T1203: Exploitation for Client Execution

Privilege Escalation:

• T1068: Exploitation for Privilege Escalation
• T1548: Abuse Elevation Control Mechanism
• T1548.002: Bypass User Account Control

Defense Evasion:

• T1036: Masquerading

Credential Access:

• T1552: Unsecured Credentials

References

• https://www.oracle.com/security-alerts/cpuoct2025.html
• https://isc.sans.edu/diary/rss/32506
• https://slcyber.io/research-center/breaking-oracles-identity-manager-pre-auth-rce/