Oracle Identity Manager Hack Warning: CISA Sounds Alarm Over Actively Exploited RCE Vulnerability

Listen to this Post

Featured Image

Introduction

A critical storm is forming around Oracle Identity Manager, one of the most widely used identity governance platforms inside government and enterprise networks. The U.S. Cybersecurity and Infrastructure Security Agency has issued an urgent warning after confirming that attackers have been actively exploiting a newly disclosed remote-code-execution flaw. Evidence suggests threat actors may have been abusing this weakness long before Oracle shipped a patch, raising concerns that federal systems may already have been probed or compromised. This article breaks down what happened, why it matters, and what the cybersecurity community must prepare for in the coming weeks.

Summary of the Original (Around )

A Vulnerability Unearthed in a Core Identity Platform

The U.S. Cybersecurity and Infrastructure Security Agency has issued a public alert urging federal agencies to patch an Oracle Identity Manager vulnerability tracked as CVE-2025-61757. This flaw, already weaponized in attacks, appears to have been exploited even before Oracle published its October 2025 security updates.

A Pre-Authentication Remote Code Execution Risk

CVE-2025-61757 is a pre-authentication remote code execution vulnerability that bypasses Oracle Identity Manager’s security filters. Researchers from Searchlight Cyber uncovered the issue when they discovered that attackers could manipulate Oracle REST API endpoints by appending parameters such as ?WSDL or ;.wadl to URLs.

How Attackers Slip Past Authentication Barriers

This URL manipulation tricks Oracle Identity Manager into treating protected endpoints as publicly accessible. Once inside, intruders gain access to a Groovy script compilation endpoint. Though the endpoint normally should not execute code, the researchers proved it can be abused to run malicious payloads during compile time using Groovy annotation-processing mechanisms.

A Simple Chain Leading to Full Remote Code Execution

What makes the flaw alarming is not just the severity but the simplicity of exploitation. The attack chain requires no authentication, and once exploited, it grants attackers full command execution on vulnerable Oracle Identity Manager instances. Searchlight Cyber described the attack as “somewhat trivial” compared to prior Oracle vulnerabilities, raising concerns about rapid weaponization.

A Patch Released But Attacks Already Underway

Oracle fixed the flaw on October 21, 2025, but technical analysis from Searchlight Cyber was published shortly afterward and contained everything required to reproduce the exploit. Within hours, security analysts began observing scanning and exploitation attempts across the internet.

CISA Adds CVE-2025-61757 to the KEV Catalog

Because attackers have already used this vulnerability, CISA added it to the Known Exploited Vulnerabilities catalog. Under federal cybersecurity directives, all FCEB agencies must patch the flaw by December 12. According to CISA, vulnerabilities of this type remain one of the most common footholds attackers use to penetrate federal systems.

Evidence of a Possible Zero-Day Window

SANS Institute’s Dean of Research, Johannes Ullrich, analyzed server logs showing that exploit-related URLs had been accessed multiple times between August 30 and September 9, well before Oracle patched the issue. Multiple IP addresses were involved, all using the same Chrome 60 user-agent string, suggesting the activity came from a single coordinated attacker or campaign.

The Specific Endpoints Targeted by Threat Actors

Attackers issued HTTP POST requests to specific OIM endpoints including:

/iam/governance/applicationmanagement/templates;.wadl

/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl

These endpoints match the exploit path detailed in Searchlight Cyber’s public disclosure. Ullrich noted that at least three IP addresses were involved: 89.238.132[.]76, 185.245.82[.]81, and 138.199.29[.]153.

Ongoing Questions and Expected Updates

Oracle has not yet confirmed whether it has observed active exploitation in customer environments. Security researchers expect that multiple threat groups may now be testing or weaponizing the flaw given its simplicity and publicly available exploitation details.

What Undercode Say: (Around 40 Lines of Analytical Insight)

A Critical Identity Layer Under Siege

Identity infrastructure remains one of the most sensitive layers in modern enterprise architecture. When attackers bypass authentication checks in a platform like Oracle Identity Manager, they don’t just breach a single application. They potentially gain a gateway into identity workflows, credential provisioning, access management, and downstream systems that rely on OIM for trust decisions.

The Danger of Pre-Authentication Exploits

The fact that the vulnerability does not require any authentication dramatically elevates the risk. Pre-auth RCE flaws are the crown jewels of cyber exploitation, enabling attackers to strike without credentials and without generating typical authentication logs. This leaves defenders nearly blind during the initial stages of compromise.

Why The URL Parameter Trick Matters

The

Groovy Script Compilation: A Hidden Weak Spot

The Groovy compilation endpoint is a lesser-known area of Oracle Identity Manager. It generally should not execute arbitrary code, but annotation-based compilation features allow attackers to sneak malicious instructions into the build workflow. This demonstrates how indirect execution pathways remain an overlooked risk in enterprise platforms.

A Zero-Day Timeline Suggests Reconnaissance

If attackers were scanning or exploiting the flaw in August, as logs suggest, then CVE-2025-61757 may have been a zero-day for at least two months. This raises questions: Did the attackers discover it independently? Were they probing multiple Oracle environments globally? Did they exfiltrate any identity data? These questions matter because identity compromises often remain invisible until long after damage is done.

Shared User-Agent, Multiple IPs: A Coordinated Actor

All observed scanning came from the same outdated Chrome 60 user-agent string. Threat actors often use consistent user agents to simplify automation scripts or avoid signature-based filtering. The fact that three IPs behaved identically implies a single tool, framework, or operator behind the campaign.

CISA’s Directive Signals High Threat Level

When CISA moves a vulnerability into the KEV catalog, it is effectively telling federal agencies: your systems may already be under attack. The December 12 patch deadline indicates urgency. KEV entries are treated as high-risk, high-priority items because the federal government sees real-world exploitation at scale.

Public Exploit Release Accelerates the Threat Curve

Searchlight Cyber’s report provides complete exploit information. While this transparency benefits defenders, it also accelerates attacker adoption. Historically, public exploit release spikes exploitation attempts by double or triple within days, and CVE-2025-61757 is likely following the same trajectory.

Identity Platform Attacks Are Part of a Larger Trend

In recent years, attackers have increasingly pivoted toward identity layer vulnerabilities. Misconfigurations and outdated identity management systems have played key roles in several major breaches. With identity becoming the security perimeter in cloud environments, flaws like CVE-2025-61757 are uniquely dangerous.

The Federal Impact Could Be Significant

Oracle Identity Manager is deeply embedded in government systems. Even limited exploitation could reveal identity attributes, workflow automation data, or internal access structures. The long-term impact extends beyond initial code execution. Attackers could plant backdoors, manipulate identity records, or pivot deeper into high-value networks.

A Simple Fix But Harder Questions Ahead

While patching is straightforward, the broader question remains: how many systems were scanned? How many were compromised? And how many organizations have the logging visibility required to confirm or dismiss compromise? The answers will likely unfold over months, not days.

🔍 Fact Checker Results

✅ Oracle released a patch for CVE-2025-61757 on October 21, 2025.

❌ No official confirmation yet from Oracle regarding observed exploitation in customer environments.

✅ Multiple independent researchers confirmed evidence of pre-patch exploitation attempts.

📊 Prediction

Threat actors will intensify scanning and exploitation attempts over the next several weeks.
Identity-focused attacks will rise as more groups recognize the ease of exploiting Oracle Identity Manager.
Government agencies and large enterprises will likely release forensic advisories as investigations reveal whether identity data was accessed or modified.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon