Intruvent Technologies
Contact us
9.8
Critical CVE Analysis Active Zero-Day CISA KEV TLP:CLEAR

CVE-2025-61757

Oracle Identity Manager Pre-Authentication Remote Code Execution

Critical pre-authentication RCE in Oracle Identity Manager (CVSS 9.8). Attackers bypass authentication via URL suffix manipulation (;.wadl) and achieve code execution through Groovy annotation abuse. Over 300,000 attack attempts recorded globally since zero-day exploitation began in August 2025.

ACTIVE ZERO-DAY EXPLOITATION

CISA KEV deadline: December 12, 2025. Zero-day exploitation observed from August 30 - September 9, 2025, prior to patch release. Over 300,000 attack attempts across 18+ countries targeting computing, healthcare, and business sectors.

9.8
CVSS Score
300K+
Attack Attempts
18+
Countries Targeted
3
Primary Sectors

Download Full Vulnerability Advisory

Complete technical analysis including IOCs, detection queries, and remediation steps for Oracle Identity Manager.

Download PDF - Free
1
Executive Summary
Active Zero-Day Exploitation
CVE-2025-61757 has been actively exploited since late August 2025, weeks before Oracle released a patch. CISA added this vulnerability to the KEV catalog on November 21, 2025, with a remediation deadline of December 12, 2025.

CVE-2025-61757 is a critical pre-authentication remote code execution vulnerability in Oracle Identity Manager (OIM), part of Oracle Fusion Middleware. The flaw exists in the REST WebServices component, where attackers can bypass authentication filters by appending metadata-style suffixes (;.wadl or ?WSDL) to protected API endpoints. Once authentication is bypassed, attackers exploit a Groovy script compilation endpoint to achieve arbitrary code execution through annotation-processing abuse.

Key Facts

CVE ID CVE-2025-61757
Vendor Oracle (Fusion Middleware)
CVSS v3.1 9.8 (Critical)
CWE CWE-306: Missing Authentication for Critical Function
Attack Vector Network (Remote, No Authentication)
Vulnerable Component REST WebServices / Groovy Script Endpoint
Exploitation Active zero-day since August 2025
CISA KEV Added November 21, 2025 (Due: December 12, 2025)
Global Impact 300,000+ attack attempts in 18+ countries
2
Threat Actor Intelligence
No Attributed Threat Actor
As of December 2025, no specific threat actor or APT group has been publicly attributed to the exploitation of CVE-2025-61757. However, the scale and sophistication of attacks suggest organized exploitation campaigns.

SANS Internet Storm Center observed exploitation attempts in honeypot systems from August 30 to September 9, 2025—occurring before Oracle released its patch—indicating zero-day awareness among threat actors.

Observed Attack Patterns

According to Imperva threat research, attacks have concentrated on organizations in the computing, healthcare, and business services sectors. The highest attack volumes were observed in the United States and France.

Attack Infrastructure Observations

Indicator Type Context
89.238.132.76 IPv4 Observed exploitation attempts
185.245.82.81 IPv4 Observed exploitation attempts
138.199.29.153 IPv4 Observed exploitation attempts
Chrome/60.0.3112.113 User-Agent Outdated (2017) browser - anomalous in 2025
556 bytes Payload Size Consistent POST body size in exploits
Assessment
The consistent use of an outdated Chrome user-agent string (from 2017) across multiple source IPs suggests automated tooling or a shared exploitation framework among attackers. The uniform 556-byte payload size indicates standardized exploit code.
3
Affected Products

Vulnerable Versions

Product Vulnerable Versions Fixed Version
Oracle Identity Manager 12.2.1.4.0 October 2025 CPU
Oracle Identity Manager 14.1.2.1.0 October 2025 CPU

Enterprise Impact

Oracle Identity Manager is a core enterprise identity governance solution deployed widely across Fortune 500 companies, government agencies, and healthcare organizations. Compromise of OIM can lead to:

  • Mass creation of privileged accounts
  • Tampering with identity provisioning workflows
  • Bypass of MFA and SSO authentication mechanisms
  • Lateral movement to connected directory services (AD, LDAP)
  • Compromise of integrated SaaS platforms
4
Technical Analysis

Vulnerability Mechanism

The vulnerability exploits two weaknesses in Oracle Identity Manager's REST API implementation:

1. Authentication Bypass

OIM's REST security filters incorrectly handle URL paths containing metadata-style suffixes. By appending ;.wadl or ?WSDL to protected endpoints, attackers trick the filter into treating them as publicly accessible WADL/WSDL descriptor requests, bypassing authentication entirely.

2. Groovy Compile-Time Code Execution

Once authentication is bypassed, attackers target the Groovy script validation endpoint. While this endpoint only compiles scripts (without executing them), Groovy's annotation-processing and AST (Abstract Syntax Tree) transform features allow code execution during compilation. Malicious annotations trigger execution before the "no runtime execution" restriction applies.

Exploitation Chain

1 Authentication Bypass
  • Append ;.wadl or ?WSDL to protected REST endpoint
  • Security filter misclassifies request as metadata descriptor
  • Unauthenticated access granted to protected API
2 Target Groovy Endpoint
  • POST to /iam/governance/.../groovyscriptstatus;.wadl
  • Endpoint accepts Groovy script for "validation"
  • Script is compiled server-side (not executed at runtime)
3 Annotation Abuse
  • Craft Groovy script with malicious annotation processors
  • AST transforms execute during compilation phase
  • Bypass runtime execution restrictions
4 RCE Achieved
  • Arbitrary code execution on WebLogic/OIM server
  • Create privileged accounts, install backdoors
  • Pivot to connected identity infrastructure

Vulnerable Endpoints

Endpoint Method Purpose
/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus POST Primary RCE vector
/iam/governance/applicationmanagement/templates GET/POST Application management templates

Exploitation Timeline

Aug 30 - Sep 9, 2025
Zero-Day Exploitation - SANS honeypots record multiple exploitation attempts from various IPs using same user-agent and 556-byte payloads
Oct 21, 2025
Patch Released - Oracle addresses vulnerability in October 2025 Critical Patch Update
Nov 21, 2025
CISA KEV Added - Added to Known Exploited Vulnerabilities catalog after exploitation validation
Dec 12, 2025
CISA Deadline - Federal agencies required to complete remediation
5
Detection

Indicators of Compromise

Malicious IP Addresses

The following IPs were observed in exploitation attempts (SANS ISC):

IP Address Context
89.238.132.76 Observed exploitation attempts (Aug-Sep 2025)
185.245.82.81 Observed exploitation attempts (Aug-Sep 2025)
138.199.29.153 Observed exploitation attempts (Aug-Sep 2025)
User-Agent Fingerprint
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

Note: Chrome 60.x was released in 2017. This severely outdated browser version is anomalous in 2025 traffic and serves as a detection indicator.

Request Characteristics
Indicator Value Detection Method
URL Suffix ;.wadl or ?WSDL WAF/Proxy URL pattern matching
HTTP Method POST Filter POST requests to groovyscriptstatus
Content-Length ~556 bytes Flag POST requests with this payload size

Detection Queries

Splunk: Detect Authentication Bypass Attempts
index=web_logs sourcetype=access_combined
| where match(uri_path, "(?i)/iam/governance/.*groovyscriptstatus")
| where match(uri_path, "(?i)(;\.wadl|\?WSDL)")
| where http_method="POST"
| stats count by src_ip, uri_path, http_user_agent, bytes_in
| where bytes_in >= 500 AND bytes_in <= 600
KQL (Microsoft Sentinel): OIM Exploitation Detection
CommonSecurityLog
| where RequestURL contains "groovyscriptstatus"
| where RequestURL matches regex @"(?i)(;\.wadl|\?WSDL)"
| where RequestMethod == "POST"
| project TimeGenerated, SourceIP, RequestURL, RequestClientApplication, SentBytes
| where SentBytes between (500 .. 600)
6
Remediation
PATCH IMMEDIATELY
Active zero-day exploitation - CISA KEV deadline December 12, 2025. This vulnerability is particularly dangerous due to its simplicity compared to typical Oracle CVEs.

Patching Guidance

Product Current Version Action Required
Oracle Identity Manager 12.2.1.4.0 Apply October 2025 CPU
Oracle Identity Manager 14.1.2.1.0 Apply October 2025 CPU

Immediate Mitigations

If patching cannot be completed immediately, implement these compensating controls:

WAF Rule: Block Authentication Bypass Suffixes
# Block requests containing bypass suffixes to OIM endpoints
SecRule REQUEST_URI "@rx /iam/governance/.*[;?](\.wadl|WSDL)" \
    "id:2025617571,\
     phase:1,\
     deny,\
     status:403,\
     log,\
     msg:'CVE-2025-61757 - OIM Auth Bypass Attempt'"
Network ACL: Block Known Malicious IPs
# Block IPs associated with exploitation attempts
iptables -A INPUT -s 89.238.132.76 -j DROP
iptables -A INPUT -s 185.245.82.81 -j DROP
iptables -A INPUT -s 138.199.29.153 -j DROP

Additional Hardening

  • Restrict OIM Management Access: Limit access to OIM administrative interfaces to trusted networks only
  • Enable Enhanced Logging: Configure verbose logging for REST API access attempts
  • Monitor Groovy Endpoint: Alert on any POST requests to groovyscriptstatus endpoint
  • User-Agent Filtering: Block requests with Chrome 60.x user-agent at edge
  • Constrain POST Size: Limit POST request body size to OIM endpoints where practical
Critical Warning
This vulnerability is particularly dangerous due to its simplicity compared to typical Oracle CVEs. The straightforward exploitation chain makes it highly susceptible to widespread abuse. Organizations running unpatched Oracle Identity Manager should assume they may already be compromised and conduct thorough forensic investigation.

Post-Compromise Actions

If exploitation is suspected or confirmed:

  1. Audit all OIM accounts - Check for unauthorized privileged account creation
  2. Review provisioning workflows - Identify any tampered identity workflows
  3. Check connected systems - Audit AD, LDAP, and integrated SaaS platforms for unauthorized changes
  4. Review WebLogic logs - Search for evidence of backdoor installation
  5. Reset credentials - Change passwords for all OIM administrative accounts
  6. Forensic investigation - Assess lateral movement and data exfiltration

Detect Oracle Identity Manager Exploitation with BRACE

BRACE delivers monthly sector-specific threat intelligence covering enterprise identity attacks:

  • Oracle Fusion Middleware exploitation detection rules
  • Authentication bypass hunting playbooks
  • Groovy/WebLogic RCE indicators
  • Identity system compromise signatures
Learn More About BRACE Request Demo

Get the Complete Analysis

Download the full vulnerability advisory including IOCs, detection queries, and step-by-step remediation guidance for Oracle Identity Manager.

Download Full Report (PDF)

Related Reports

Critical CVE Analysis

CVE-2024-55591: FortiOS Auth Bypass

Another critical authentication bypass in enterprise infrastructure.

View Analysis →
Critical Threat Actor

Scattered Spider

Identity-focused threat group targeting enterprise authentication systems.

View Profile →
Critical CVE Analysis

Next.js Vulnerabilities

Web application authorization bypass and RCE vulnerabilities.

View Analysis →

Protect Your Enterprise Identity Infrastructure

BRACE delivers monthly threat intelligence covering identity management vulnerabilities and CISA KEV listed CVEs with detection rules for your sector.

Get BRACE Talk to an Expert