Listen to this Post

Introduction: Rising Threats Target a Core Enterprise Identity Platform
A newly exposed weakness inside Oracle Identity Manager has triggered urgent warnings from cybersecurity authorities. The U.S. Cybersecurity and Infrastructure Security Agency has moved swiftly to add this high-risk vulnerability to its Known Exploited Vulnerabilities catalog, signaling that attackers are already abusing it. The flaw allows adversaries to bypass authentication and execute malicious code remotely, placing some of the world’s largest organizations at serious risk. With proof of active exploitation, experts are urging immediate patching as attackers continue scanning networks for vulnerable systems. Below is an expanded, human-written exploration of the issue, including a clear recap of the original findings, deeper analysis, and a detailed expert section.
Overview of the Original Report
The U.S. Cybersecurity and Infrastructure Security Agency publicly confirmed that a critical Oracle Identity Manager flaw is under active exploitation. The issue is cataloged as CVE-2025-61757 and carries an extremely high CVSS score of 9.8. The weakness is rooted in missing authentication for key functions, enabling remote code execution without requiring a login. This vulnerability affects Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0, though Oracle has already issued a fix as part of its recent quarterly updates.
CISA emphasized that Oracle Fusion Middleware suffers from a missing authentication issue that grants remote attackers the ability to completely take over Identity Manager. Researchers Adam Kues and Shubham Shah from Searchlight Cyber uncovered this bypass and warned that it grants attackers access to API endpoints normally protected. Through these endpoints, intruders can interfere with authentication flows, escalate privileges and move deeper inside essential organizational systems.
The vulnerability stems from a broken security filter that can be tricked into treating protected endpoints as publicly accessible. Hackers can append “?WSDL” or “;.wadl” to a URI, causing the filter’s weak allow-list rules to misinterpret the request. The underlying design relies on regular expressions and simplistic string matching, making it error-prone and easy to manipulate. According to the researchers, it is common to find ways to deceive such filters into believing an attacker is accessing an unprotected route.
Once attackers bypass authentication, they can chain the weakness with the “/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus” endpoint. This endpoint is intended to check syntax in Groovy code, not to execute it. However, Searchlight Cyber discovered that specially crafted HTTP POST requests could abuse Groovy annotations that run during compile time. Although the code normally would not execute, the annotation triggers action during compilation, granting attackers remote code execution capabilities.
CISA’s alert follows reports by Johannes B. Ullrich of the SANS Technology Institute, who found multiple honeypot attempts targeting the specific Groovy endpoint. Between August 30 and September 9, 2025, several POST requests attempted to access a “;.wadl” suffixed version of the endpoint. Different IP addresses were used, though all traffic shared the same user agent, indicating that one attacker toolkit or operator was likely behind the activity. The captured requests had identical payload sizes of 556 bytes, though the bodies themselves were not retrieved.
This activity suggests that attackers exploited the flaw as a zero-day, meaning exploitation began before Oracle released the official fix. The IP addresses associated with the observed attacks included 89.238.132[.]76, 185.245.82[.]81 and 138.199.29[.]153.
Because exploitation is ongoing, Federal Civilian Executive Branch agencies must apply patches by December 12, 2025. The urgency is tied to the risk that attackers can compromise identity workflows and gain deep access into core operational systems, making rapid patch deployment essential.
Expanded the Original Findings (Around )
Rising Concern Over Active Exploitation
Recent cybersecurity alerts have drawn attention to a severe vulnerability affecting Oracle Identity Manager, a widely adopted enterprise identity system. CISA officially added the flaw to its Known Exploited Vulnerabilities catalog, confirming that attackers are already taking advantage of it. This escalation indicates the threat is not theoretical but actively unfolding across targeted systems.
Identification of CVE-2025-61757
The flaw, labeled CVE-2025-61757, reflects a near-maximum severity with a CVSS score of 9.8. The vulnerability arises from missing authentication on essential functions, creating a pathway for remote attackers to access sensitive components without logging in. Oracle addressed this vulnerability in its standard quarterly patch rollout.
Impact on Key Oracle Versions
Only certain versions of Oracle Identity Manager are affected, specifically 12.2.1.4.0 and 14.1.2.1.0. Organizations using these versions are at heightened risk due to the absence of authentication controls on vulnerable endpoints.
What CISA Highlighted
According to CISA, Oracle Fusion Middleware contains a critical authentication gap that allows outsiders to seize control of Identity Manager. In practical terms, this means attackers could break into centralized identity management systems, posing a substantial organizational security threat.
Insight From Searchlight Cyber
Researchers from Searchlight Cyber discovered the flaw and provided crucial details about how it is exploited. They stated that the weakness grants attackers access to API endpoints normally off-limits, enabling them to manipulate authentication flows. Once inside, adversaries could escalate their privileges or move deeper through internal systems.
Root Cause of the Vulnerability
The primary cause lies in an inadequate security filter that validates allowed routes using regular expressions or basic string checks. This structure is highly vulnerable to deception. Attackers can append parameters such as “?WSDL” or “;.wadl” to trick the security filter into treating protected routes as if they were public.
How Attackers Achieve Code Execution
After bypassing authentication, adversaries can exploit an endpoint meant to validate Groovy script syntax. The endpoint was not designed to execute code, yet Searchlight Cyber discovered that a Groovy annotation executes during compile time. With a carefully crafted HTTP POST, attackers can cause the system to run payloads remotely.
Evidence of Real-World Attacks
Reports from honeypot systems revealed attempts to target the vulnerable endpoint long before patches were available. Logging from late August through early September 2025 showed multiple POST requests using the same user agent but different IP addresses, suggesting a coordinated effort or a single scanning tool.
Indications of Zero-Day Abuse
The sightings imply that attackers exploited the flaw weeks before Oracle issued a patch, making it a classic zero-day scenario. The repeated 556-byte payload size suggests consistent malicious automation.
Mandated Patch Deadlines
Because attackers continue targeting the vulnerability, CISA has mandated that certain government agencies patch affected systems by December 12, 2025. This underscores the severity and urgency of the threat.
What Undercode Say: (Around 40 Lines of Analytical Insight)
Understanding the Strategic Importance of Identity Management
Identity systems are among the most sensitive components in enterprise infrastructure. Attackers who breach these systems often gain complete control over critical authentication pathways. In this case, Oracle Identity Manager sits at the heart of many large organizations’ access workflows. A flaw that grants pre-authentication access is therefore an especially powerful weapon for adversaries.
Why This Flaw Is So Dangerous
Missing authentication on high-value endpoints fundamentally breaks trust boundaries. Attackers skip the most critical barrier that separates external users from privileged internal functionality. When this is combined with remote code execution, the result is a complete system compromise that can be escalated across an entire network.
The Filter Bypass Problem Is a Warning Sign
The bypass mechanism highlights a recurring challenge in enterprise software: relying on allow-list filters built from simplistic logic. Regular expression-based security filters are notoriously fragile. Small routing quirks can cause massive exposure, as seen here where “?WSDL” or “;.wadl” fragments tricked the system into treating protected paths as public.
Groovy Annotation Execution Shows Creative Attack Techniques
The ability to execute code through Groovy annotations during compile time is an example of advanced exploitation. Attackers are no longer relying on classic execution paths but are instead abusing programming language features that were never intended to run in production. This showcases a growing trend of attackers turning development features into attack vectors.
Zero-Day Implications for Supply Chain Security
The evidence that attackers exploited this issue before the patch release indicates a troubling reality. Zero-day exploitation of core enterprise software is expanding. This raises questions about whether attackers uncovered the flaw independently or whether insider knowledge played a role. Either possibility demands stronger development safeguards.
Identity Systems as a Prime Espionage Target
Because Oracle Identity Manager is widely used in large organizations and government agencies, it is a prime target for espionage operations. Gaining control of identity flows allows attackers to impersonate legitimate users, extract data and plant long-term persistence mechanisms. This vulnerability grants exactly that kind of leverage.
Mandated Federal Patching Reflects Systemic Risk
CISA’s requirement for Federal Civilian Executive Branch agencies to patch by December 12 shows how significant the risk is. When an identity management system is compromised, attackers can pivot into sensitive networks. The federal mandate reflects the potential national impact of delayed patching.
The Consistent Payload Size Suggests Automated Exploitation
The honeypot logs revealing repeated 556-byte payloads across different IP addresses indicate automation. This is typical of mass exploitation tools used by cybercriminals. Such tools are often sold or shared across dark web communities, potentially expanding the number of attackers using the exploit.
Endpoint-Level Misconfigurations Signal Broader Architectural Weakness
When a system’s protection relies heavily on route filters rather than robust authentication enforcement, architectural flaws become visible. This case shows that the underlying security model may be too dependent on perimeter checks. True security requires deeper validation layers inside application logic.
Organizations Should Expect Secondary Attacks After Compromise
Given the level of access attackers can achieve through this flaw, organizations should expect follow-on attacks. These may include privilege escalation, lateral movement, data theft and deployment of persistent malware. The vulnerability opens doors to long-term occupation of networks by sophisticated adversaries.
Fact Checker Results
CVE-2025-61757 is officially listed in CISA’s Known Exploited Vulnerabilities catalog. ✅
Evidence of real-world exploit attempts was detected through honeypots observing POST requests to the vulnerable endpoint. ✅
The flaw allows pre-authentication code execution, but execution only occurs due to compile-time Groovy annotation abuse rather than traditional runtime execution. ⚠️
Prediction
Attackers will increase automated scans targeting unpatched Oracle Identity Manager environments. 🔍
Organizations that delay patching may experience deeper breaches exploiting identity pathways. 🔐
More research will likely uncover similar allow-list bypass issues across other enterprise middleware platforms. 📈
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




