“`html
The Cybersecurity and Infrastructure Security Agency (CISA) is encouraging organizations to promptly rectify a critical security vulnerability in Oracle Identity Manager following reports of active exploitation.
The flaw, noted as CVE-2025-61757, enables unauthenticated remote attackers to execute arbitrary code on compromised systems, presenting a significant risk to corporate and governmental networks.
This alert follows a significant breach earlier this year that affected Oracle Cloud’s own login service, which compromised over six million records.
Security analysts at Searchlight Cyber discovered this vulnerability while examining the attack surface of Oracle Cloud’s login server. Their analysis indicated that the same software stack that was breached in January, particularly the Oracle Identity Governance Suite, harbored a critical pre-authentication Remote Code Execution (RCE) vulnerability.
This finding emphasized a vital oversight in the application’s handling of authentication filters, rendering hundreds of tenants susceptible to total compromise without the need for legitimate credentials.
The flaw exists within the application’s SecurityFilter mechanism located in the web.xml configuration. This filter was intended to control authentication verifications but relied on a defective regular expression whitelist.
The developers aimed to enable unauthenticated access to Web Application Description Language (WADL) files, but the execution overlooked how Java interprets request Uniform Resource Identifiers (URIs).
Attackers are able to completely bypass authentication by appending specific matrix parameters to the URL. The research team illustrated that adding ;.wadl to a request URI misleads the server into treating the request as a benign WADL retrieval while the underlying Java servlet processes it as a legitimate API call.
This logical inconsistency provides attackers with unrestricted access to secure REST endpoints, such as /iam/governance/applicationmanagement.
Once the authentication is sidestepped, threat actors can exploit the groovyscriptstatus endpoint to accomplish code execution. Although this endpoint is meant only for syntax-checking Groovy scripts without executing them, it indeed performs compilation.
By injecting a script with the @ASTTest annotation, attackers can compel the Java compiler to execute arbitrary code during the compilation process. This strategy effectively transforms a syntax checker into a fully operational remote shell, granting control over the host system.
This vulnerability is especially alarming because it necessitates no prior access or credentials. The combination of a simple authentication bypass and a reliable execution method presents an attractive target for ransomware groups and state-sponsored actors.
Entities operating Oracle Identity Governance Suite 12c are urged to implement the necessary patches immediately or isolate the compromised services from the public internet.
| CVE ID | Affected Product | Vulnerability Type | Impact | Severity |
|---|---|---|---|---|
| CVE-2025-61757 | Oracle Identity Governance Suite 12c (12.2.1.4.0) | Pre-Authentication RCE | Remote Code Execution, Total System Compromise | Critical (9.8) |
| CVE-2021-35587 | Oracle Access Manager | Pre-Authentication RCE | Data Exfiltration, Tenant Compromise | Critical |
“`