Technical Report: CISA Adds Critical Oracle Fusion Middleware Remote Code Execution Flaw to KEV Catalog

Listen to this Post

Featured Image

Global Security Warning

The latest addition to CISA’s Known Exploited Vulnerabilities catalog has triggered a wave of concern across federal networks and the private sector. The flaw sits deep inside Oracle Fusion Middleware, and with a near-perfect CVSS score of 9.8, it represents one of the most dangerous risks currently unfolding in enterprise environments. Although the vulnerability exists within a familiar product, the circumstances around its exploitation, discovery, and early attack activity paint a far more alarming picture than a routine advisory.

A Growing Threat Landscape

Researchers have warned that this vulnerability has been quietly targeted for weeks, possibly exploited in the wild before Oracle publicly acknowledged or patched it. The weakness lies in the Identity Manager component, a core engine in many authentication and provisioning workflows. When this layer collapses, the rest of the system follows.

the Original

Critical Vulnerability Added to KEV

CISA has officially listed a severe Oracle Fusion Middleware flaw, identified as CVE-2025-61757, within its Known Exploited Vulnerabilities catalog, citing its confirmed exploitation in the wild.

Missing Authentication Leads to Full Takeover

The flaw, rooted in a missing authentication check in a critical function, enables remote code execution before any login step. An attacker with only HTTP access can trigger full system compromise, including total control over Oracle Identity Manager.

Impacted Versions Identified

Versions 12.2.1.4.0 and 14.1.2.1.0 are vulnerable. Oracle released fixes as part of its October 2025 Critical Patch Update.

Researchers Who Found the Flaw

Security analysts Adam Kues and Shubham Shah of Assetnote discovered and reported the vulnerability to Oracle.

Oracle Advisory Confirms Severe Impact

The official advisory emphasizes how trivial the attack chain is, stressing that no authentication is required and that successful exploitation grants complete takeover capabilities.

Evidence of Pre-Patch Attacks

SANS ISC researcher Johannes B. Ullrich revealed that honeypot logs showed repeated exploitation attempts between August 30 and September 9, 2025. These logs indicate consistent HTTP POST requests targeting the known vulnerable endpoint.

Indicators of a Single Threat Actor

Although attacks originated from different IP addresses, the uniform user agent string suggests one coordinated attacker. Payloads were small, around 556 bytes, pointing toward a refined zero-day exploit already in circulation before public disclosure.

Zero-Day Exploitation Confirmed

These early attempts underscore that attackers weaponized the flaw weeks before Oracle’s patch release, strengthening CISA’s decision to add it to the KEV list.

Federal Agencies Under Directive

Under BOD 22-01, all federal civilian agencies must patch this vulnerability before the deadline to prevent further compromise.

Private Sector Also Urged to Act

Experts advise private organizations to inspect their systems, confirm whether the vulnerable versions are exposed, and immediately apply the available Oracle updates.

Compliance Deadline Announced

CISA has mandated that all federal organizations address this issue by December 12, 2025.

What Undercode Say:

Deep Impact on Identity Control Systems

A flaw that strikes at the heart of Identity Manager is inherently destabilizing. Authentication workflows define the borders of modern networks, so when attackers bypass this threshold entirely, the security model collapses. CVE-2025-61757 represents precisely that scenario, a forced entry into the digital identity vault.

Strategic Appeal for Threat Actors

Identity systems hold the keys to user provisioning, administrative privileges, and system policy governance. A remote code execution vector inside this stack offers unmatched control, making the flaw highly attractive to sophisticated attackers, including those building initial footholds for larger intrusion campaigns.

Zero-Day Activity Raises Red Flags

The discovery that exploitation began weeks before patches were released suggests active monitoring of Oracle environments by threat groups. Attackers often maintain repositories of quietly exploited zero-days, deploying them selectively to avoid detection. The uniform payload characteristics identified in honeypots indicate a prebuilt automation tool or script.

Indicators of Coordinated Operations

Multiple IPs, identical user agents, and repeat targeting patterns point to a single orchestrated actor, possibly employing rotating exit nodes or compromised machines. The behavior aligns with attackers aiming to test or validate an exploit before wider deployment.

Enterprise Exposure Is Higher Than Expected

Oracle Identity Manager remains deeply embedded in enterprise authentication frameworks, especially in legacy but mission-critical infrastructures. Many organizations update these systems slowly due to operational complexity, meaning the attack surface is larger and more persistent than similar modernized platforms.

Patch Deployment Challenges

Critical Patch Updates from Oracle often require extended maintenance windows, testing phases, and dependency verification. When federal directives mandate rapid patching, organizations face logistical strain. Attackers understand this delay and weaponize vulnerabilities like CVE-2025-61757 precisely during these windows of instability.

Implications for Supply Chain Trust

Large platforms such as Fusion Middleware underpin entire ecosystems of third-party tools. A breach here breaks more than a single system. It threatens every application integrated with the identity framework, multiplying the scope of compromise far beyond the initial exploit.

The Honeypot Findings Are a Warning Signal

Ullrich’s analysis reveals deliberate reconnaissance rather than random scanning. These probes indicate an informed attacker leveraging intelligence about Oracle’s internal mechanisms, possibly signaling forthcoming campaigns targeting government or corporate authentication layers.

KEV Inclusion Reflects Critical Risk

CISA’s decision to elevate the vulnerability to KEV status confirms a likelihood of continued or escalated exploitation. KEV additions are not routine; they reflect real-world attacks, not theoretical risk. This strengthens the urgency for immediate system audits across sectors.

Long-Term Defensive Adjustments Needed

Organizations dependent on Oracle identity products must reconsider their update strategies. Delayed critical updates create predictable windows of vulnerability, and attackers have shown increasing precision in exploiting them. Improving patch cycles and strengthening segmentation around identity services is essential.

🔍 Fact Checker Results

✅ The vulnerability exists in Oracle Fusion Middleware Identity Manager.

✅ Exploitation attempts were observed in honeypot data before the official patch release.

❌ No evidence suggests multiple independent attackers; findings indicate a single coordinated actor.

📊 Prediction

Threat activity targeting this vulnerability will increase significantly as exploit code spreads across attacker communities. Enterprises that delay patching will likely see a surge in automated scans and opportunistic intrusions. Monitoring identity systems and applying segmentation controls will become essential defense strategies.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon