CVE-2025-61757

Name of the Vulnerable Software and Affected Versions Oracle Identity Manager versions 12.2.1.4.0 through 14.1.2.1.0

Description This is a critical vulnerability in Oracle Identity Manager’s REST WebServices component that allows unauthenticated attackers to remotely execute code via HTTP. The vulnerability stems from missing authentication for a critical function, enabling attackers to bypass security checks and execute arbitrary code. Exploitation has been observed in the wild since August 2025, and CISA has added this vulnerability (CVE-2025-61757) to its Known Exploited Vulnerabilities catalog. Attackers can exploit this by appending strings like '?WSDL' or ';.wadl' to URLs, gaining access to internal APIs, including the Groovy script status API, which compiles and executes submitted scripts. Successful exploitation can lead to a complete system takeover.

Recommendations Apply the latest security patch released by Oracle for Oracle Identity Manager versions 12.2.1.4.0 through 14.1.2.1.0. Restrict external access to the affected component using network segmentation or access control lists (ACLs). Monitor logs for unusual activity, specifically requests targeting the vulnerable API endpoints with payloads around 556 bytes. Consider temporarily disabling the Groovy script status API if it is not essential for operations.