The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting Oracle Identity Manager to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability in question is CVE-2025-61757 (CVSS score: 9.8), a case of missing authentication for a critical function that can result in pre-authenticated remote code execution. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0. It was addressed by Oracle as part of its quarterly updates released last month.
"Oracle Fusion Middleware contains a missing authentication for a critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager," CISA said.
Searchlight Cyber researchers Adam Kues and Shubham Shah, who discovered the flaw, said it can permit an attacker to access API endpoints that, in turn, can allow them "to manipulate authentication flows, escalate privileges, and move laterally across an organization's core systems."
Specifically, it stems from a bypass of a security filter that tricks protected endpoints into being treated as publicly accessible by simply adding "?WSDL" or ";.wadl" to any URI. This, in turn, is the result of a faulty allow-list mechanism based on regular expressions or string matching against the request URI.
"This system is very error-prone, and there are typically ways to trick these filters into thinking we're accessing an unauthenticated route when we're not," the researchers noted.
The authentication bypass can then be paired with a request to the "/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus" endpoint to achieve remote code execution by sending a specially crafted HTTP POST. Even though the endpoint is only meant for checking the syntax of Groovy code and not executing it, Searchlight Cyber said it was able to "write a Groovy annotation that executes at compile time, even though the compiled code is not actually run."
The addition of CVE-2025-61757 to the KEV catalog comes days after Johannes B. Ullrich, the dean of research at the SANS Technology Institute, said an analysis of honeypot logs revealed several attempts to access the URL "/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl" via HTTP POST requests between August 30 and September 9, 2025.
"There are several different IP addresses scanning for it, but they all use the same user agent, which suggests that we may be dealing with a single attacker," Ullrich said. "Sadly, we did not capture the bodies for these requests, but they were all POST requests. The content-length header indicated a 556-byte payload."
This indicates that the vulnerability may have been exploited as a zero-day vulnerability, well before a patch was shipped by Oracle. The IP addresses from which the attempts originated are listed below -
- 89.238.132[.]76
- 185.245.82[.]81
- 138.199.29[.]153
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary patches by December 12, 2025, to secure their networks.
